passwd(1), pam_ldap and old PRs
Jonathan McKeown
jonathan+freebsd-questions at hst.org.za
Tue Sep 4 07:41:22 PDT 2007
I asked this on -hackers@ several weeks ago and the silence was deafening -
what I have heard referred to as Warnock's Dilemma.
I'm experimenting with OpenLDAP, pam_ldap, and pgina with the PAM plugin on
Windows clients, for central authentication in a mixed network.
passwd(1) won't allow me to change a password other than local or NIS.
There are two relevant PRs, one open (bin/71290)and one suspended (bin/59638).
Looking at the source, it appears passwd.c has been rewritten (some years
since) to use the PAM infrastructure for password changes. This goes most of
the way to addressing bin/59638. However, there is a switch statement at
lines 112-126 of /usr/src/usr.bin/passwd/passwd.c (on 6.2-RELEASE) which
prevents it from working except for files and nis, using constants defined in
<pwd.h> and commented there as being ``bogus''. bin/71290 includes a patch
which would fix this (although I do think it would be a shame to lose the
comment about green men).
Is there any reason other than historical that this PR and patch is being
ignored and the old behaviour is being preserved? What would be the drawback
to removing the switch statement as proposed, and allowing passwd(1) to
change the user's password using PAM, wherever it might be stored?
Jonathan
More information about the freebsd-questions
mailing list