I believe you can use the rootbinddn feature in pam_ldap.conf to allow the root user the ability to change other users' passwords via the passwd command, although it requires you to store rootbinddn's authentication info on the system which could constitute a security risk. See pam_ldap(5) for more info.
-Michael Proto
On Sat, Jul 20, 2013 at 8:59 AM, Augustin Wolf augustynwilk@gmail.comwrote:
Hi list, I'm using CentOs 6.4, and moved user management to OpenLDAP. As far as it works fine for user - user can login, do `passwd` to change his password, etc. - it fails for root to change users passwords. Root have to use ldapmodify. Is it normal behavior, or do I have some configuration errors?
For now, LDAP ACL was "turned off" - every user has manage permission. I know it's a security issue, but I wanted to remove potential interference. I will change this as soon as root can change users password. SELlinux was also turned off to eliminate it's potential interference. Iptables was "turned off", as well, though I thing it doesn't matter as long as port 389 is open.
My configs, logs, etc are in here: http://fpaste.org/26708/ Thanks in advance, Augustyn