Control: tags -1 + pending
On 13/09/14 08:41 AM, Dietrich Clauss wrote:
When the LDAP is used to authenticate users (e.g. in conjunction with
libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self write" allows
the user to change her uidNumber and impersonate another user.
IMO the default config should allow self-write access to userPassword
and shadowLastChange only.
Thanks for the report. I've removed the offending 'by self write' in
git. I'm not sure why that was added in the first place. The default
slapd.conf didn't have it and I didn't find any comments about it.
I don't think I'm comfortable doing an automated ACL change to existing
installs. A NEWS.Debian entry suggesting the change (and mentioning how
to do it) might be appropriate, though.
thanks,
Ryan
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
