Package: libpam-ldap Version: 184-8.7+b1 Severity: important Dear Maintainer,
On Jessie systems, when an end user located in a LDAP directory changes their password, the password is changed by the rootbinddn instead of the end user dn. Wheezy/Squeeze based systems with PAM/libpam-ldap configured the same way change the password with the end user dn. This statement is verified by LDAP auditlogs, showing attributes being changed by rootbinddn when called from Jessie while being changed by the end user dn on Wheezy. The primary side effect of this is that LDAP Policy Overlay configuration is bypassed when the password is being changed by the privleged dn. This allows end users to repeat passwords (circumventing pwdHistory) and use short passwords (pwdMinLength). While testing this, I tried downgrading the libpam-ldap package to the current version in Wheezy, i.e. 184-8.6, this exhibits the same behaviour. -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-ldap depends on: ii debconf [debconf-2.0] 1.5.56 ii libc6 2.19-18 ii libldap-2.4-2 2.4.40+dfsg-1 ii libpam-runtime 1.1.8-3.1 ii libpam0g 1.1.8-3.1 libpam-ldap recommends no packages. Versions of packages libpam-ldap suggests: ii libnss-ldap 265-3+b1 -- debconf information: shared/ldapns/base-dn: dc=internal,dc=net libpam-ldap/dblogin: false libpam-ldap/rootbinddn: cn=admin,dc=internal,dc=net libpam-ldap/dbrootlogin: true * libpam-ldap/override: false libpam-ldap/binddn: cn=proxyuser,dc=example,dc=net shared/ldapns/ldap-server: ldaps://172.31.150.10/ libpam-ldap/pam_password: crypt shared/ldapns/ldap_version: 3 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
