[Pkg-openldap-devel] slapd: dangerous access rule in default config
Brian May
brian at microcomaustralia.com.au
Wed Jan 28 01:17:18 UTC 2015
On 28 January 2015 at 02:49, Luca Bruno <lucab at debian.org> wrote:
> A debconf warning is already in place for jessie, and a full backport is
> currently sitting in bpo-NEW. Should we cherry-pick the same warning for
> wheezy and squeeze-lts?
>
How does this warning work? Does it automatically test for vulnerable
configurations somehow, or does it warn for all upgrades?
I think backporting to wheezy and squeeze-lts be a good idea, unless
backporting is complicated for any reason. If it is just a simple debconf
note, it sounds like it should be simple.
I have also looked up the situation for CentOS/Fedora. It looks like their
openldap-servers package doesn't provide any ACLs, so are ok. I can't find
any any official documentation on how to set up the ACLs, so it is very
possible sysadmin's could get mislead, e.g. by the official openldap
documentation[1] or third party websites[2], and still have vulnerable
systems.
[1] <http://www.openldap.org/doc/admin24/access-control.html#Basic ACLs>
[2] <http://www.zytrax.com/books/ldap/ch6/#ex-authenticated>
--
Brian May <brian at microcomaustralia.com.au>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150128/b3f3c307/attachment.html>
More information about the Pkg-openldap-devel
mailing list