bin/71290: [PATCH] passwd cannot change passwords other than NIS/local (e.g. via pam_ldap)

Pawel Wieleba wielebap at
Thu Sep 2 08:00:42 PDT 2004

>Number:         71290
>Category:       bin
>Synopsis:       [PATCH] passwd cannot change passwords other than NIS/local (e.g. via pam_ldap)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 02 15:00:37 GMT 2004
>Originator:     Pawel Wieleba
>Release:        FreeBSD 5.2.1
FreeBSD server 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0:
Initially this problem was announced in PR#71202. I was asked by marcus to divde this PR and so I'm doing.

This problem (and two others) is described in the article:

You can also check PR #71287(pam_ldap).

I cannot change passwords LDAP users passwords via pam_ldap. Why it is prohibited??? Are there any security problems??? 

Please let me know,
Pawel Wieleba

Example config:
% cat /etc/pam.d/passwd
password sufficient no_warn try_first_pass nullok
password sufficient use_first_pass

You have to change and recompile /usr/src/usr.bin/passwd to enable changing pam_ldap passwords (I use this patch).
A patch:
%diff -u passwd.c.orig passwd.c
--- /usr/src/usr.bin/passwd/passwd.c.orig  Mon May 24 19:41:40 2004
+++ /usr/src/usr.bin/passwd/passwd.c       Tue Aug 31 18:03:00 2004
@@ -121,8 +121,7 @@
                /* XXX: Green men ought to be supported via PAM. */
-               errx(1,
-         "Sorry, `passwd' can only change passwords for local or NIS users.");
+               fprintf(stderr, "Now you can change LDAP passwordi via PAM\n");

 #define pam_check(func) do { \

More information about the freebsd-bugs mailing list