Some directory servers either do not support Password Modify Extended Operation (OID 126.96.36.199.4.1.4188.8.131.52, RFC 3062) for password change or this feature is disabled by default. SSSD is unable to perform password change on such servers. Even though we recommend to upgrade to servers that supports this feature, there are still users that will benefit from SSSD being able to change password without it.
Two example servers are IBM Tivoli Directory Server that does not support this operation and Oracle Directory Server that may not have it enabled by default.
- A user wants to change his/her password against LDAP that does not support Password Modify Extended Operation.
Provide new configuration option
ldap_pwmodify_mode. This option can be set to one of two values:
exop to be the default value. This will give us the ability to extend SSSD with another method for password change in the future if it is ever needed.
If this option is set to
exop then SSSD use Password Modify extended operation to change the password as it does now. If the value is
ldap_modify then ldap_modify operation will be used to change the password.
Even though the ldap_modify operation uses a plain text password, the servers typically hashes the userPassword attribute.
Quote from IBM Tivoli DS documentation: “After the server is configured, any new passwords (for new users) or modified passwords (for existing users) are encrypted before they are stored in the directory database. Subsequent LDAP searches will return a tagged and encrypted value.”
When a password change is requested,
sdap_pam_chpass_handler_send is called. This request first authenticates the user with current password and then in
sdap_pam_chpass_handler_auth_done tries to change it with extended operation by calling
sdap_exop_modify_passwd_send. At this point we should check the value of
ldap_pwmodify_exop option and decide whether to continue with extended operation or use
Both operations use the connection that verified the current password not connection that is used for ID lookups. Therefore the user that wants to change his/her password must be allowed to write to the userPassword attribute of their object.
Information on how to change the password using simple LDAP modify operation can be found here
- New option:
ldap_pwmodify_modewith possible values
ldap_modifyand try to change user’s password.
- Pavel Březina <email@example.com>