Package: slapd
Version: 2.4.23-7.2
[I still use the slapd.conf file, not cn=schema, but i think that it is
the same...]
The default configuration file slapd.conf (supplied/handled by debconf
on /etc/ldap/, or provided as example on
/usr/share/doc/slapd/examples/slapd.conf)
usa an unoptimal ACL:
access to attrs=userPassword,shadowLastChange
by dn="@ADMIN@" write
by anonymous auth
by self write
by * none
this ACL prevent the anonymous (read) access to 'shadowLastChange',
preventing nss (i've tested libnss-ldap and libnss-ldaps/nslcd, it is
the same), if configured to use anonymous bind, to correctly handle
password expiration saved on LDAP.
With libnss-ldap, you can set 'rootbinddn', with libnss-ldaps/nslcd you
are forced to bind with sufficient privileges.
I think that 'shadowLastChange' is an information that does't need more
privacy then others Shadow* ones, so i propose this new ACL:
access to attrs=userPassword
by dn="@ADMIN@" write
by anonymous auth
by self write
by * none
access to attrs=shadowLastChange
by dn="@ADMIN@" write
by self write
by * read
Thanks.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
