severity 673400 important tags 673400 moreinfo unreproducible thanks On Fri, May 18, 2012 at 07:19:11AM -0400, Helmuth Gronewold wrote: > Package: slapd > Version: 2.4.23-7.2 > Severity: normal
> I've installed slapd on a plain debian squeeze together with
> ldap-account-manager.
> After configuring slapd with dpkg-reconfigure, I logged in as admin on the
> ldap-account-manager and created 2 users (user1, user2). I logged in as
> user1 and changed personal information. I noticed, that I am not able to
> change values of user2 except for the password. It's possible, logged in
> as user1, to change/delete/unset the password of user2 and vice versa. It
> seems that the standard setup lacks something like the following lines:
> access to attr=userPassword
> by self write
> by anonymous auth
> by dn.base="cn=Manager,dc=example,dc=com" write
> by * none
> I report this as a critical bug, since it could cause information leakage
> and not wanted privileges to services that authenticate against LDAP.
/usr/share/slapd/slapd.init.ldif, which is used to populate the initial
database configuration, contains exactly these lines:
olcAccess: to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,@SUFFIX@" write
by * none
olcAccess: to dn.base="" by * read
olcAccess: to *
by self write
by dn="cn=admin,@SUFFIX@" write
by * read
And when I install slapd or reconfigure it, those olcAccess values are set
in /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif. Can you
please attach that file from your system for comparison?
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
