[Pkg-openldap-devel] slapd: dangerous access rule in default config
Ryan Tandy
ryan at nardis.ca
Sun Feb 1 19:48:11 UTC 2015
[changed CC to explicitly include pkg-openldap-devel at l.a.d.o. context:
we are talking about an advisory to warn stable users about #761406, and
about fixing it in stable]
On Tue, Jan 27, 2015 at 06:35:47PM -0800, Ryan Tandy wrote:
>On Tue, Jan 27, 2015 at 05:35:08PM +0100, Yves-Alexis Perez wrote:
>>For the stable upload, there's no rush (since the thing is already
>>public right now and we just want exposure so people are somehow
>>forced to fix their setup).
>
>OK. So there are two functional packaging commits related to this
>(plus subsequent translation updates):
>
>1d124f2 fixes the default acl used for new initial configs.
>1868c7d adds the (conditional) debconf note and some text in
>README.Debian about how to fix it.
>
>IMO both should be safe and suitable for stable.
>
>http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/commit/?id=1d124f25f57c5f0dcbe935e1ea796e767e2603bd
>http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/commit/?id=1868c7d3e2efc0500585d20dd7b771ace9d4aca9
>
>On Tue, Jan 27, 2015 at 06:14:15PM +0100, Luca Bruno wrote:
>>It looks like the saner config has never been ported to stable, so I think
>>that the bare minimum for the DSA is that.
>
>Right, it would be nice to not continue generating new dangerous
>configs after the advisory goes out. :)
>
>On Wed, Jan 28, 2015 at 12:17:18PM +1100, Brian May wrote:
>>How does this warning work? Does it automatically test for vulnerable
>>configurations somehow, or does it warn for all upgrades?
>
>It greps specifically for an acl beginning with "to * by self write",
>the former default, on any database. Anything else will not trigger
>it.
>
>>I think backporting to wheezy and squeeze-lts be a good idea, unless
>>backporting is complicated for any reason. If it is just a simple debconf
>>note, it sounds like it should be simple.
>
>It should be safe. I'll prepare and test the diff as soon as I have
>time (probably not this evening, sorry).
Proposed stable diff (modulo UNRELEASED) attached, with changes picked
from jessie. Comments? Next steps?
thanks,
Ryan
-------------- next part --------------
diff -u openldap-2.4.31/debian/slapd.templates openldap-2.4.31/debian/slapd.templates
--- openldap-2.4.31/debian/slapd.templates
+++ openldap-2.4.31/debian/slapd.templates
@@ -143,0 +144,16 @@
+
+Template: slapd/unsafe_selfwrite_acl
+Type: note
+#flag:comment:3
+# Translators: keep "by self write" and "to *" unchanged. These are part
+# of the slapd configuration and are not translatable.
+_Description: Potentially unsafe slapd access control configuration
+ One or more of the configured databases has an access control rule that
+ allows users to modify most of their own attributes. This may be
+ unsafe, depending on how the database is used.
+ .
+ In the case of slapd access rules that begin with "to *", it is
+ recommended to remove any instances of "by self write", so that users
+ are only able to modify specifically allowed attributes.
+ .
+ See /usr/share/doc/slapd/README.Debian.gz for more details.
diff -u openldap-2.4.31/debian/slapd.init.ldif openldap-2.4.31/debian/slapd.init.ldif
--- openldap-2.4.31/debian/slapd.init.ldif
+++ openldap-2.4.31/debian/slapd.init.ldif
@@ -79,7 +79,6 @@
by * none
olcAccess: to dn.base="" by * read
olcAccess: to *
- by self write
by dn="cn=admin, at SUFFIX@" write
by * read
diff -u openldap-2.4.31/debian/slapd.README.Debian openldap-2.4.31/debian/slapd.README.Debian
--- openldap-2.4.31/debian/slapd.README.Debian
+++ openldap-2.4.31/debian/slapd.README.Debian
@@ -202,0 +203,44 @@
+
+Unsafe access control rule installed by default in previous versions
+
+ Versions of slapd before 2.4.31-1+nmu2+deb7u1 configured the default
+ database with an access control rule of the form:
+
+ to *
+ by self write
+ by dn="cn=admin,dc=example,dc=com" write
+ by * read
+
+ Depending on how the database and client applications are configured,
+ users might be able to impersonate others by editing attributes such
+ as their Unix user and group numbers, or other application-specific
+ attributes.
+
+ New installations no longer include "by self write", but existing
+ configurations will not be automatically modified.
+
+ To list your current access control rules, use the command:
+
+ ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)' olcAccess
+
+ To fix the problem, create an LDIF file to replace the rules as
+ needed. For example:
+
+ dn: olcDatabase={1}hdb,cn=config
+ delete: olcAccess
+ olcAccess: {2}
+ -
+ add: olcAccess
+ olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
+
+ Adjust the database DN, the administrative DN, and the rule numbers
+ according to your configuration, following the output from ldapsearch.
+
+ Next, apply the configuration changes from the file:
+
+ ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif
+
+ For more information about access control rules, refer to the
+ slapd.access(5) man page.
+
+ -- Ryan Tandy <ryan at nardis.ca>, Mon, 20 Oct 2014 11:45:20 -0700
diff -u openldap-2.4.31/debian/slapd.config openldap-2.4.31/debian/slapd.config
--- openldap-2.4.31/debian/slapd.config
+++ openldap-2.4.31/debian/slapd.config
@@ -146,6 +146,19 @@
# }}}
# }}}
+warn_about_selfwrite_acl() { # {{{
+# Warn about databases having an acl beginning with "to * by self
+# write", installed by default in previous versions of slapd.init.ldif
+# but having possible security implications.
+ if [ -d "$SLAPD_CONF" ]; then
+ if grep -q '^olcAccess: {[0-9]*}to \* by self write' \
+ "$SLAPD_CONF"/cn\=config/olcDatabase*.ldif 2>/dev/null; then
+ db_input high slapd/unsafe_selfwrite_acl || true
+ fi
+ fi
+}
+# }}}
+
# Create an initial directory on fresh install
if is_initial_configuration "$@"; then
if ! want_manual_configuration; then
@@ -160,6 +173,7 @@
if [ "$1" = configure ] && [ -n "$2" ]; then
configure_dumping
configure_allow_v2_binds
+ warn_about_selfwrite_acl
fi
db_go || true
diff -u openldap-2.4.31/debian/changelog openldap-2.4.31/debian/changelog
--- openldap-2.4.31/debian/changelog
+++ openldap-2.4.31/debian/changelog
@@ -1,3 +1,16 @@
+openldap (2.4.31-1+nmu2+deb7u1) UNRELEASED; urgency=high
+
+ * debian/slapd.init.ldif: Disallow modifying one's own entry by default,
+ except specific attributes. (Closes: #761406)
+ * debian/slapd.{config,templates}: On upgrade, if an access rule begins with
+ "to * by self write", show a debconf note warning that it should be
+ changed.
+ * debian/po/*: Add debconf message translations.
+ * debian/slapd.README.debian: Add information about how to remove "to * by
+ self write" from existing ACLs.
+
+ -- Ryan Tandy <ryan at nardis.ca> Sun, 01 Feb 2015 00:11:43 +0000
+
openldap (2.4.31-1+nmu2) unstable; urgency=high
* Non-maintainer upload.
diff -u openldap-2.4.31/debian/po/gl.po openldap-2.4.31/debian/po/gl.po
--- openldap-2.4.31/debian/po/gl.po
+++ openldap-2.4.31/debian/po/gl.po
@@ -333,6 +333,45 @@
"axusta ?s s?as necesidades. Consulte /usr/share/doc/slapd/README.DB_CONFIG."
"gz para m?is detalles."
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr ""
+"A configuraci?n de control de acceso de slapd ? potencialmente insegura"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Polo menos unha das bases de datos configuradas ten unha regra de control de "
+"acceso que permite aos usuarios modificar a maior?a dos atributos. Isto pode "
+"ser inseguro dependendo da maneira en que se use a base de datos."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"No caso das regras de acceso de ?slapd? que comezan con ?to *?, "
+"recom?ndaselle eliminar calquera instancia de ?by self write?, de maneira "
+"que os usuarios s? poidan modificar os atributos especificamente permitidos."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "Pode obter m?is informaci?n en /usr/share/doc/slapd/README.Debian.gz ."
+
#~ msgid "Back up current database and create a new one?"
#~ msgstr "?Facer unha copia da base de datos actual e crear unha nova?"
diff -u openldap-2.4.31/debian/po/fi.po openldap-2.4.31/debian/po/fi.po
--- openldap-2.4.31/debian/po/fi.po
+++ openldap-2.4.31/debian/po/fi.po
@@ -333,6 +333,38 @@
"asetukset vastaavat tarpeita. Tiedostosta /usr/share/doc/slapd/README."
"DB_CONFIG.gz l?ytyy lis?tietoja (englanniksi)."
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr ""
+
#~ msgid "slurpd is obsolete; replicas must be reconfigured by hand"
#~ msgstr ""
#~ "slurpd on vanhentunut; kopioiden asetukset tulee tehd? k?sin uudelleen"
diff -u openldap-2.4.31/debian/po/pt_BR.po openldap-2.4.31/debian/po/pt_BR.po
--- openldap-2.4.31/debian/po/pt_BR.po
+++ openldap-2.4.31/debian/po/pt_BR.po
@@ -354,6 +354,45 @@
"voc? necessita. Veja /usr/share/doc/slapd/README.DB_CONFIG.gz para maiores "
"detalhes."
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "Configura??o de controle de acesso do slapd potencialmente insegura"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Uma ou mais das bases de dados configuradas tem uma regra de controle de "
+"acesso que permite que usu?rios modifiquem a maioria dos seus pr?prios "
+"atributos. Isso pode ser inseguro, dependendo de como a base de dados ? "
+"usada."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"No caso das regras de acesso do slapd que comecem com \"to *\", ? "
+"recomendado remover quaisquer inst?ncias de \"by self write\", de modo que "
+"os usu?rios possam modificar somente atributos especificamente permitidos."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "Veja /usr/share/doc/slapd/README.Debian.gz para mais detalhes."
+
#~ msgid "slurpd is obsolete; replicas must be reconfigured by hand"
#~ msgstr ""
#~ "O slurpd est? obsoleto, r?plicas devem ser configuradas manualmente."
diff -u openldap-2.4.31/debian/po/ca.po openldap-2.4.31/debian/po/ca.po
--- openldap-2.4.31/debian/po/ca.po
+++ openldap-2.4.31/debian/po/ca.po
@@ -337,0 +338,38 @@
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "Configuraci? de control d'acc?s de slpad potencialment insegur"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Una o m?s de les bases de dades configurades t? una norma de control d'acc?s "
+"que permet als usuaris modificar la major part dels seus atributs. Aquest "
+"situaci? pot ser perillosa, depenent de com s'utilitza la base de dades."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"En el cas que les normes d'acc?s de slpad comencin per \"to *\", ?s "
+"recomanable eliminar totes les inst?ncies a \"by self write\", de manera que "
+"els usuaris nom?s puguin modificar els atributs espec?ficament permesos."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "Consulteu ?/usr/share/doc/slapd/README.Debian.gz? per a m?s detalls."
diff -u openldap-2.4.31/debian/po/it.po openldap-2.4.31/debian/po/it.po
--- openldap-2.4.31/debian/po/it.po
+++ openldap-2.4.31/debian/po/it.po
@@ -336,0 +337,39 @@
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "Configurazione degli accessi di slapd potenzialmente non sicura"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Uno o pi? dei database configurati hanno una regola di accesso che permette "
+"agli utenti di modificare la maggior parte dei propri attributi. Ci? ? non "
+"sicuro, il livello di pericolosit? dipende da qual ? l'uso del database."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"Se esistono regole di accesso che iniziano con \"to *\", si raccomanda di "
+"togliere tutti i \"by self write\" in modo che gli utenti possano modificare "
+"solo gli attributi a loro consentiti."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr ""
+"Consultare /usr/share/doc/slapd/README.Debian.gz per maggiori informazioni."
diff -u openldap-2.4.31/debian/po/nl.po openldap-2.4.31/debian/po/nl.po
--- openldap-2.4.31/debian/po/nl.po
+++ openldap-2.4.31/debian/po/nl.po
@@ -335,0 +336,40 @@
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "De configuratie van de slapd-toegangscontrole is mogelijk onveilig"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Een of meer van de geconfigureerde databases gebruikt bij de "
+"toegangscontrole een regel die gebruikers toelaat om het grootste deel van "
+"hun eigen attributen te wijzigen. Afhankelijk van de wijze waarop de "
+"database gebruikt wordt, is dit mogelijk onveilig."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"In het geval er slapd-toegangsregels van toepassing zijn die met \"to *\" "
+"beginnen, wordt aanbevolen om elk voorkomen van \"by self write\" te "
+"verwijderen, waardoor gebruikers enkel die attributen kunnen wijzigen "
+"waarvoor dit expliciet toegestaan wordt."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "Raadpleeg /usr/share/doc/slapd/README.Debian.gz voor meer details."
diff -u openldap-2.4.31/debian/po/cs.po openldap-2.4.31/debian/po/cs.po
--- openldap-2.4.31/debian/po/cs.po
+++ openldap-2.4.31/debian/po/cs.po
@@ -336,6 +336,44 @@
"pot?eb?m. V?ce informac? o nastaven? datab?ze naleznete v souboru /usr/share/"
"doc/slapd/README.DB_CONFIG.gz."
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "Potenci?ln? nebezpe?n? nastaven? p??stupu slapd"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Jedna nebo v?ce nakonfigurovan?ch datab?z? obsahuje pravidlo, kter? umo??uje "
+"u?ivatel?m m?nit v?t?inu jejich vlastn?ch atribut?. V z?vislosti na zp?sobu "
+"pou??v?n? datab?ze to m??e b?t nebezpe?n?."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"V p??pad? p??stupov?ch pravidel slapd za??naj?c?ch ?to *? je doporu?eno "
+"odstranit v?skyty ?by self write?, aby u?ivatel? mohli m?nit pouze "
+"explicitn? povolen? atributy."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "V?ce informac? naleznete v /usr/share/doc/slapd/README.Debian.gz."
+
#~ msgid "slurpd is obsolete; replicas must be reconfigured by hand"
#~ msgstr "slurpd je zastaral?, repliky se mus? znovu nastavit ru?n?"
diff -u openldap-2.4.31/debian/po/fr.po openldap-2.4.31/debian/po/fr.po
--- openldap-2.4.31/debian/po/fr.po
+++ openldap-2.4.31/debian/po/fr.po
@@ -341,6 +341,47 @@
"? vos besoins. Pour plus d'informations, veuillez consulter le fichier /usr/"
"share/doc/slapd/README.DB_CONFIG.gz."
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "Configuration ?ventuellement peu s?re du contr?le d'acc?s de slapd"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Une ou plusieurs des bases de donn?es configur?es comportent une r?gle de "
+"contr?le d'acc?s qui permet aux utilisateurs de modifier un ou plusieurs de "
+"leurs propres param?tres. Cela peut ?tre peu s?r, selon la fa?on dont la "
+"base de donn?es est configur?e."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"Pour les r?gles d'acc?s ? slapd qui commencent par???to *??, il est "
+"recommand? de supprimer toute occurrence de ??by self write??, afin que les "
+"utilisateurs ne puissent modifier que des param?tres explicitement autoris?s."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr ""
+"Veuillez consulter le fichier /usr/share/doc/slapd/README.Debian.gz pour "
+"plus d'informations."
+
#~ msgid "slurpd is obsolete; replicas must be reconfigured by hand"
#~ msgstr "Programme slurpd obsol?te?: reconfiguration manuelle des r?plicats"
diff -u openldap-2.4.31/debian/po/ja.po openldap-2.4.31/debian/po/ja.po
--- openldap-2.4.31/debian/po/ja.po
+++ openldap-2.4.31/debian/po/ja.po
@@ -325,0 +326,32 @@
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "????????? slapd ???????????"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr "???????????????????????????????????? 1 ????????????????????????????????????????????????????"
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr "\"to *\" ???? slapd ?????????????? \"by self write\" ?????????????????????????????????????????????????????"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "??????? /usr/share/doc/slapd/README.Debian.gz ??????????"
diff -u openldap-2.4.31/debian/po/es.po openldap-2.4.31/debian/po/es.po
--- openldap-2.4.31/debian/po/es.po
+++ openldap-2.4.31/debian/po/es.po
@@ -366,6 +366,45 @@
"En cualquier caso, debe revisar la configuraci?n de la base de datos. Vea en "
"?/usr/share/doc/slapd/README.DB_CONFIG.gz? para m?s detalles."
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "Configuraci?n potencialmente insegura en el control de acceso de slapd"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Una o varias de las bases de datos configuradas contiene una regla de "
+"control de acceso que permite a los usuarios modificar la mayor?a de sus "
+"propios atributos. Esta configuraci?n puede ser insegura dependiendo de c?mo "
+"se utilice la base de datos."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"Se recomienda que elimine cualquier instancia ?by self write? en las reglas "
+"de acceso de slapd que empiecen con ?to *? para que los usuarios s?lo puedan "
+"modificar los atributos que se hayan permitido expresamente."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "Consulte ?/usr/share/doc/slapd/README.Debian.gz? para m?s detalles."
+
#~ msgid "slurpd is obsolete; replicas must be reconfigured by hand"
#~ msgstr "slurpd es obsoleto; hay que configurar las r?plicas a mano"
diff -u openldap-2.4.31/debian/po/vi.po openldap-2.4.31/debian/po/vi.po
--- openldap-2.4.31/debian/po/vi.po
+++ openldap-2.4.31/debian/po/vi.po
@@ -335,0 +336,38 @@
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "C?u h?nh ?i?u khi?n truy c?p slapd ti?m ?n s? thi?u an to?n"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"C? m?t hay h?n c? s? d? li?u c?u h?nh c? ch?a quy t?c ?i?u khi?n truy c?p m? "
+"n? l?i cho ph?p ng??i d?ng s?a ??i ph?n l?n c?c thu?c t?nh m? h? s? h?u. Nh? "
+"v?y l? thi?u an to?n, c?n t?y thu?c v?o c? s? d? li?u d?ng ?? l?m g?."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"Trong tr??ng h?p quy t?c truy c?p slapd m? b?t ??u b?ng \"to *\", khuy?n b?n "
+"n?n x?a b? m?i th?c th? \"by self write\", nh? th? ng??i d?ng ch? c? th? s?a "
+"c?c thu?c t?nh cho ph?p ?? ch? ra."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "??c /usr/share/doc/slapd/README.Debian.gz ?? bi?t th?m chi ti?t."
diff -u openldap-2.4.31/debian/po/da.po openldap-2.4.31/debian/po/da.po
--- openldap-2.4.31/debian/po/da.po
+++ openldap-2.4.31/debian/po/da.po
@@ -329,0 +330,38 @@
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "Potentiel usikker slapd-adgangskontrolkonfiguration"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"En eller flere af de konfigurerede databaser har en adgangskontrolregel, "
+"som giver brugere mulighed for at ?ndre deres egne attributter. Dette kan "
+"v?re usikkert, afh?ngig af hvordan databasen bruges."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"I tilf?ldet med slapd-adgangsregler som begynder med ?to *?, anbefales det "
+"at fjerne alle instanser af ?by self write?, s? at brugerne kun kan "
+"?ndre specifikt tilladte attributter."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "Se /usr/share/doc/slapd/README.Debian.gz for yderligere detaljer."
diff -u openldap-2.4.31/debian/po/sk.po openldap-2.4.31/debian/po/sk.po
--- openldap-2.4.31/debian/po/sk.po
+++ openldap-2.4.31/debian/po/sk.po
@@ -331,0 +332,32 @@
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr ""
diff -u openldap-2.4.31/debian/po/ru.po openldap-2.4.31/debian/po/ru.po
--- openldap-2.4.31/debian/po/ru.po
+++ openldap-2.4.31/debian/po/ru.po
@@ -341,6 +341,44 @@
"????? ???????????. ????????? ? ????????? ???????? ? ????? /usr/share/doc/"
"slapd/README.DB_CONFIG.gz."
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "???????????? ???????????? ????????? ?????????? ???????? slapd"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"? ????? ??? ????? ????? ?????? ????????? ??????? ???????? ???????, ??????? "
+"????????? ????????????? ???????? ?? ?????? ??????????? ????????. ??? ????? "
+"???? ???????????, ? ??????????? ?? ????????????? ???? ??????."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"? ??????, ????? ??????? ??????? slapd ?????????? ? ?to *?, ????????????? "
+"??????? ??? ?????????? ?by self write? ??? ????, ????? ???????????? ????? "
+"???????? ?????? ???? ??????????? ????????."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "???????? ??????????? ? ????? /usr/share/doc/slapd/README.Debian.gz."
+
#~ msgid "slurpd is obsolete; replicas must be reconfigured by hand"
#~ msgstr "slurpd ???????; ??????? ?????? ???? ????????????? ???????"
diff -u openldap-2.4.31/debian/po/templates.pot openldap-2.4.31/debian/po/templates.pot
--- openldap-2.4.31/debian/po/templates.pot
+++ openldap-2.4.31/debian/po/templates.pot
@@ -281,0 +282,32 @@
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr ""
diff -u openldap-2.4.31/debian/po/de.po openldap-2.4.31/debian/po/de.po
--- openldap-2.4.31/debian/po/de.po
+++ openldap-2.4.31/debian/po/de.po
@@ -342,6 +342,45 @@
"auf Ihre Anforderungen pr?fen. Lesen Sie /usr/share/doc/slapd/README."
"DB_CONFIG.gz f?r weitere Details."
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "M?glicherweise unsichere Slapd-Zugriffssteuerkonfiguration"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Eine oder mehrere der konfigurierten Datenbanken hat eine Zugriffssteuerregel, "
+"die Benutzern erlaubt, die meisten ihrer eigenen Konfigurationsoptionen zu "
+"ver?ndern. Dies kann unsicher sein, abh?ngig davon, wie die Datenbank "
+"verwandt wird."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"Im Falle der mit ?to *? beginnenden Slapd-Zugriffsregeln, wird empfohlen, "
+"alle Instanzen von ?by self write? zu entfernen, so dass Benutzer nur in der "
+"Lage sind, speziell erlaubte Attribute zu ?ndern."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "Lesen Sie /usr/share/doc/slapd/README.Debian.gz f?r weitere Details."
+
#~ msgid "slurpd is obsolete; replicas must be reconfigured by hand"
#~ msgstr "Slurpd ist veraltet; Replikas m?ssen von Hand rekonfiguriert werden"
diff -u openldap-2.4.31/debian/po/sv.po openldap-2.4.31/debian/po/sv.po
--- openldap-2.4.31/debian/po/sv.po
+++ openldap-2.4.31/debian/po/sv.po
@@ -333,6 +333,44 @@
"f?r dina behov. Se /usr/share/doc/slapd/README.DB_CONFIG.gz f?r fler "
"detaljer."
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "Potentiellt os?ker r?ttighetsinst?llning f?r slapd"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"En eller flera av de inst?llda databaserna har r?ttighetsinst?llningar som "
+"inneb?r att anv?ndare till?ts att ?ndra de flesta av sina attribut. Detta "
+"kan vara os?kert, beroende p? hur databasen anv?nds."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"I fallen d?r r?ttighetsinst?llningarna b?rjar med \"to *\" ?r det "
+"rekommenderat att ta bort \"by self write\" i f?rekommande fall. Det f?r "
+"till f?ljd att anv?ndare bara f?r justera specifikt till?tna attribut."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "L?s /usr/share/doc/slapd/README.Debian.gz f?r detaljerad information."
+
#~ msgid "slurpd is obsolete; replicas must be reconfigured by hand"
#~ msgstr "slurpd ?r inte aktuell; repliker m?ste konfigureras f?r hand"
diff -u openldap-2.4.31/debian/po/eu.po openldap-2.4.31/debian/po/eu.po
--- openldap-2.4.31/debian/po/eu.po
+++ openldap-2.4.31/debian/po/eu.po
@@ -334,0 +335,38 @@
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "Potentzialki ez-segurua den slapd atzitzeko kontrolaren konfigurazioa"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Konfiguratutako datu-base batek (edo gehiagok) erabiltzaileek beraien "
+"atributu gehienak aldatzeko baimentzen duen atzipeneko kontrol-arau bat du. "
+"Hau ez-segurua izan daiteke, datu-basea nola erabiltzen den arabera."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"slapd-ren \"to *\"-rekin hasten diren atzipen arauen kasuan, \"by self write"
+"\"-ren instantziak kentzea gomendatzen da. Horrela, erabiltzaileek bereziki "
+"baimendutako atributuak soilik alda ditzakete."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "Irakurri /usr/share/doc/slapd/README.Debian.gz xehetasun gehiagorako."
diff -u openldap-2.4.31/debian/po/pt.po openldap-2.4.31/debian/po/pt.po
--- openldap-2.4.31/debian/po/pt.po
+++ openldap-2.4.31/debian/po/pt.po
@@ -336,6 +336,45 @@
"para as suas necessidades. Ver /usr/share/doc/slapd/README.DB_CONFIG.gz para "
"mais detalhes."
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "Potentially unsafe slapd access control configuration"
+msgstr "Configura??o de controlo de acesso ao slapd potencialmente insegura"
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid ""
+"One or more of the configured databases has an access control rule that "
+"allows users to modify most of their own attributes. This may be unsafe, "
+"depending on how the database is used."
+msgstr ""
+"Uma das bases de dados configuradas ou mais t?m uma regra de controlo de "
+"acesso que permite os utilizadores modificarem os seus pr?prios atributos. "
+"Isto pode ser inseguro, depende de como a base de dados ? utilizada."
+
+#. Type: note
+#. Description
+#. Translators: keep "by self write" and "to *" unchanged. These are part
+#. of the slapd configuration and are not translatable.
+#: ../slapd.templates:17001
+msgid ""
+"In the case of slapd access rules that begin with \"to *\", it is "
+"recommended to remove any instances of \"by self write\", so that users are "
+"only able to modify specifically allowed attributes."
+msgstr ""
+"No caso das regras de acesso do slapd the come?am com \" at? *\", ? "
+"recomendado que se remova qualquer inst?ncia de \"by self write\", de "
+"maneira a que os utilizadores possam modificar especificamente atributos "
+"permitidos."
+
+#. Type: note
+#. Description
+#: ../slapd.templates:17001
+msgid "See /usr/share/doc/slapd/README.Debian.gz for more details."
+msgstr "Ver /usr/share/doc/slapd/README.Debian.gz para mais detalhes."
+
#~ msgid "slurpd is obsolete; replicas must be reconfigured by hand"
#~ msgstr "o slurpd est? obsoleto; as r?plicas ter?o de ser configuradas ? m?o"
More information about the Pkg-openldap-devel
mailing list