I believe you can use the rootbinddn feature in pam_ldap.conf to allow the root user the ability to change other users' passwords via the passwd command, although it requires you to store rootbinddn's authentication info on the system which could constitute a security risk. See pam_ldap(5) for more info.


-Michael Proto


On Sat, Jul 20, 2013 at 8:59 AM, Augustin Wolf <augustynwilk@gmail.com> wrote:
Hi list,
I'm using CentOs 6.4, and moved user management to OpenLDAP. As far as
it works fine for user - user can login, do `passwd` to change his
password, etc. - it fails for root to change users passwords. Root
have to use ldapmodify. Is
it normal behavior, or do I have some configuration errors?

For now, LDAP ACL was "turned off" - every user has manage permission.
I know it's a security issue, but I wanted to remove potential
interference. I will change this as soon as root can change users
password.
SELlinux was also turned off to eliminate it's potential interference.
Iptables was "turned off", as well, though I thing it doesn't matter
as long as port 389 is open.

My configs, logs, etc are in here: http://fpaste.org/26708/
Thanks in advance,
Augustyn