On Fri, Oct 09, 2009 at 04:29:42PM -0400, Simo Sorce wrote:
On Fri, 2009-10-09 at 21:02 +0200, Sumit Bose wrote:
Hi,
this one should fix #223. Because sshd runs as root the old password
was
not sent to sssd and changing the user password failed. Please review
carefully.
I guess the problem here is to understand what do current pam modules,
when used through the proxy backend, expect.
The current pam modules do not expect anything here, because they will
handle expired passowrd during pam_acct_mgmt and not during
pam_authenticate.
Do they skip checks or ignore if the provided password is valid or not ?
Should we think of forking a child in proxy and running it as the user
that is attempting the password change? (Assuming we know it ?)
I think forking isn't needed here, because pam_sss should be kept
simple. Send everything you know to sssd and wait for a response.
bye,
Sumit
Otherwise the patch looks sane to me, so I'd give a tentative ack.
Simo.
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
___
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel