[Pkg-openldap-devel] Bug#761406: Bug#761406: slapd: dangerous access rule in default config
Ryan Tandy
ryan at nardis.ca
Sat Sep 13 19:05:25 UTC 2014
Control: tags -1 + pending
On 13/09/14 08:41 AM, Dietrich Clauss wrote:
> When the LDAP is used to authenticate users (e.g. in conjunction with
> libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self write" allows
> the user to change her uidNumber and impersonate another user.
>
> IMO the default config should allow self-write access to userPassword
> and shadowLastChange only.
Thanks for the report. I've removed the offending 'by self write' in
git. I'm not sure why that was added in the first place. The default
slapd.conf didn't have it and I didn't find any comments about it.
I don't think I'm comfortable doing an automated ACL change to existing
installs. A NEWS.Debian entry suggesting the change (and mentioning how
to do it) might be appropriate, though.
thanks,
Ryan
More information about the Pkg-openldap-devel
mailing list