[Pkg-openldap-devel] Bug#669235: Incorrect/unoptimal ACL prevent nss/shadow to work with anonymous bind
Marco Gaiarin
gaio at sv.lnf.it
Wed Apr 18 10:30:54 UTC 2012
Package: slapd
Version: 2.4.23-7.2
[I still use the slapd.conf file, not cn=schema, but i think that it is
the same...]
The default configuration file slapd.conf (supplied/handled by debconf
on /etc/ldap/, or provided as example on /usr/share/doc/slapd/examples/slapd.conf)
usa an unoptimal ACL:
access to attrs=userPassword,shadowLastChange
by dn="@ADMIN@" write
by anonymous auth
by self write
by * none
this ACL prevent the anonymous (read) access to 'shadowLastChange',
preventing nss (i've tested libnss-ldap and libnss-ldaps/nslcd, it is
the same), if configured to use anonymous bind, to correctly handle
password expiration saved on LDAP.
With libnss-ldap, you can set 'rootbinddn', with libnss-ldaps/nslcd you
are forced to bind with sufficient privileges.
I think that 'shadowLastChange' is an information that does't need more
privacy then others Shadow* ones, so i propose this new ACL:
access to attrs=userPassword
by dn="@ADMIN@" write
by anonymous auth
by self write
by * none
access to attrs=shadowLastChange
by dn="@ADMIN@" write
by self write
by * read
Thanks.
More information about the Pkg-openldap-devel
mailing list