[Pkg-openldap-devel] Bug#673400: slapd: normal user is able to change/delete/unset the password of other users

Steve Langasek vorlon at debian.org
Sun Jun 17 05:33:44 UTC 2012 

severity 673400 important
tags 673400 moreinfo unreproducible
thanks

On Fri, May 18, 2012 at 07:19:11AM -0400, Helmuth Gronewold wrote:
> Package: slapd
> Version: 2.4.23-7.2
> Severity: normal

> I've installed slapd on a plain debian squeeze together with
> ldap-account-manager.

> After configuring slapd with dpkg-reconfigure, I logged in as admin on the
> ldap-account-manager and created 2 users (user1, user2).  I logged in as
> user1 and changed personal information.  I noticed, that I am not able to
> change values of user2 except for the password.  It's possible, logged in
> as user1, to change/delete/unset the password of user2 and vice versa.  It
> seems that the standard setup lacks something like the following lines:

> access to attr=userPassword
> 	by self write
> 	by anonymous auth
> 	by dn.base="cn=Manager,dc=example,dc=com" write
> 	by * none

> I report this as a critical bug, since it could cause information leakage
> and not wanted privileges to services that authenticate against LDAP.

/usr/share/slapd/slapd.init.ldif, which is used to populate the initial
database configuration, contains exactly these lines:

 olcAccess: to attrs=userPassword,shadowLastChange
   by self write
   by anonymous auth
   by dn="cn=admin, at SUFFIX@" write
   by * none
 olcAccess: to dn.base="" by * read
 olcAccess: to *
   by self write
   by dn="cn=admin, at SUFFIX@" write
   by * read

And when I install slapd or reconfigure it, those olcAccess values are set
in /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif.  Can you
please attach that file from your system for comparison?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20120616/967525f4/attachment.pgp>

More information about the Pkg-openldap-devel mailing list