[Pkg-openldap-devel] Bug#673400: slapd: normal user is able to change/delete/unset the password of other users

Helmuth Gronewold debian at dlowen.org
Fri May 18 11:19:11 UTC 2012 

Package: slapd
Version: 2.4.23-7.2
Severity: normal

I've installed slapd on a plain debian squeeze together with ldap-account-manager. 

After configuring slapd with dpkg-reconfigure, I logged in as admin on the ldap-account-manager and created 2 users (user1, user2). I logged in as user1 and changed personal information. I noticed, that I am not able to change values of user2 except for the password. It's possible, logged in as user1, to change/delete/unset the password of user2 and vice versa. It seems that the standard setup lacks something like the following lines:

access to attr=userPassword
	by self write
	by anonymous auth
	by dn.base="cn=Manager,dc=example,dc=com" write
	by * none

I report this as a critical bug, since it could cause information leakage and not wanted privileges to services that authenticate against LDAP.


-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser                3.112+nmu2        add and remove users and groups
ii  coreutils              8.5-1             GNU core utilities
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  libc6                  2.11.3-3          Embedded GNU C Library: Shared lib
ii  libdb4.8               4.8.30-2          Berkeley v4.8 Database Libraries [
ii  libgnutls26            2.8.6-1+squeeze2  the GNU TLS library - runtime libr
ii  libldap-2.4-2          2.4.23-7.2        OpenLDAP libraries
ii  libltdl7               2.2.6b-2          A system independent dlopen wrappe
ii  libperl5.10            5.10.1-17squeeze3 shared Perl library
ii  libsasl2-2             2.1.23.dfsg1-7    Cyrus SASL - authentication abstra
ii  libslp1                1.2.1-7.8         OpenSLP libraries
ii  libwrap0               7.6.q-19          Wietse Venema's TCP wrappers libra
ii  lsb-base               3.2-23.2squeeze1  Linux Standard Base 3.2 init scrip
ii  perl [libmime-base64-p 5.10.1-17squeeze3 Larry Wall's Practical Extraction 
ii  psmisc                 22.11-1           utilities that use the proc file s
ii  unixodbc               2.2.14p2-1        ODBC tools libraries

Versions of packages slapd recommends:
ii  libsasl2-modules          2.1.23.dfsg1-7 Cyrus SASL - pluggable authenticat

Versions of packages slapd suggests:
ii  ldap-utils                    2.4.23-7.2 OpenLDAP utilities

-- debconf information:
  slapd/internal/generated_adminpw: (password omitted)
* slapd/password2: (password omitted)
  slapd/internal/adminpw: (password omitted)
* slapd/password1: (password omitted)
  slapd/password_mismatch:
  slapd/invalid_config: true
* shared/organization: example.com
  slapd/upgrade_slapcat_failure:
* slapd/backend: HDB
  slapd/dump_database: when needed
* slapd/allow_ldap_v2: false
* slapd/no_configuration: false
* slapd/move_old_database: true
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
* slapd/purge_database: true
* slapd/domain: example.com

More information about the Pkg-openldap-devel mailing list