[Pkg-openldap-devel] [openldap] 01/01: Allow anyone to read shadowLastChange (#669235)

[Ryan Tandy]

This is an automated email from the git hooks/post-receive script.

rtandy-guest pushed a commit to branch master
in repository openldap.

commit 088fb8ffa750f89e52bbb3c5e7f2d4ccf3d6a94f
Author: Ryan Tandy <ryan at nardis.ca>
Date:   Fri Aug 28 12:41:04 2015 -0700

    Allow anyone to read shadowLastChange (#669235)
---
 debian/changelog       | 4 ++++
 debian/slapd.init.ldif | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index c58d22c..d9d0360 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -22,6 +22,10 @@ openldap (2.4.42+dfsg-2) UNRELEASED; urgency=medium
     actually in the form libldap_r.so -> libldap_r-2.4.so.xyz and the tag is a 
     false positive; see #687022.
   * Include the smbk5pwd man page in the slapd-smbk5pwd package.
+  * Allow anonymous read access to the shadowLastChange attribute by default, 
+    allowing nss-ldap/nss-ldapd to handle password expiry correctly even when 
+    bound anonymously. This was the only restricted shadow attribute, the 
+    others were already world-readable. (Closes: #669235)
 
   [ Peter Marschall ]
   * Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to 
diff --git a/debian/slapd.init.ldif b/debian/slapd.init.ldif
index 2d04c5b..5488c7e 100644
--- a/debian/slapd.init.ldif
+++ b/debian/slapd.init.ldif
@@ -72,10 +72,13 @@ olcDbIndex: objectClass eq
 olcDbIndex: cn,uid eq
 olcDbIndex: uidNumber,gidNumber eq
 olcDbIndex: member,memberUid eq
-olcAccess: to attrs=userPassword,shadowLastChange
+olcAccess: to attrs=userPassword
   by self write
   by anonymous auth
   by * none
+olcAccess: to attrs=shadowLastChange
+  by self write
+  by * read
 olcAccess: to dn.base="" by * read
 olcAccess: to *
   by * read

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git