FreeBSD 7/OpenLDAP: Howto change passwords

Jonathan McKeown jonathan+freebsd-questions at
Mon Nov 26 11:20:05 PST 2007

On Monday 26 November 2007 17:11, O. Hartmann wrote:
> Hello,
> trying to change passwords on a client machine for a LDAP authenticated
> user always fails due to the original passwd() command is not capable of
> changing passwords remotely.
> Their is a suggested patch, but is there an "official" way to do?

Hi Oliver

I've asked this question several times, here and on -hackers, with no very 
helpful response. I checked for PRs and several have been filed at various 
times and are in various different states.

As far as I can tell, the changes necessary to make passwd(1) work with the 
PAM infrastructure were made some years ago, but were diked out by a switch 
statement which appears to prevent a change to anything but /etc/passwd or 
NIS/YP. This switch relies on a set of constants which are themselves 
commented in the source as being ``bogus''.

The answer to our question may well be something like ``historical reasons'' 
or ``Principle of Least Astonishment'', but please, someone...

Is there a sound reason not to remove this guard statement and allow passwd(1) 
to change passwords in accordance with a PAM policy, as it is coded to do?

I've already offered to submit a patch if necessary: it hardly even needs a 
knowledge of C to fix this one - simply remove a switch statement and replace 
it with a simple printf.


More information about the freebsd-questions mailing list