Ryan Tandy wrote: [...] > My current draft for the debconf note (to be shown on upgrade, if an > access rule beginning with "to * by self write" exists) reads: > > Description: Please review access control rules
You also have a "please review" later on. Maybe this could say something like Description: OpenLDAP access control rule issue > One or more of your databases contains an access rule that allows users > to edit most of their own attributes. This may be unsafe, depending on > how the database is used. > . > Please review your access control rules. Refer to > /usr/share/doc/slapd/README.Debian.gz for more details. Do you really mean to talk about databases *containing* access rules? Maybe it should say something like: One or more of the databases configured in /etc/openldap/slapd.conf has an access rule that allows users to edit most of their own attributes. This may be unsafe, depending on how the database is used. > My draft for README.Debian reads: > > Dangerous default access control rule > > Previous versions of slapd configured the default database with an > access control rule of the form: If this is being incorporated into an existing README.Debian rather than a NEWS.Debian it needs some sort of datestamp or version number or other indicator of what "previous" is relative to: Versions of slapd before X.Y-Z configured the default database with an access control rule of the form: > > to * > by self write > by dn="cn=admin,dc=example,dc=com" write > by * read > > Depending on the how the database and client applications are XXX Surplus article. > configured, users might be able to impersonate others by editing > attributes such as their Unix user and group numbers, their Kerberos > principal name, their Samba security identifier, or other > application-specific attributes. > > New slapd installations no longer include "by self write", but > existing configurations will not be automatically modified. > > To list your current access control rules, use the command: > > ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)' > olcAccess > > Next, create a text file containing the desired modifications, for > example: Maybe call it "an ldif file" here? > dn: olcDatabase={1}hdb,cn=config > delete: olcAccess > olcAccess: {2} > - > add: olcAccess > olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read > > Adjust the database DN, the administrative DN, and the rule numbers > according to your configuration. > > Finally, apply the configuration changes from the file: > > ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif > > For more information about access control rules, consult the > slapd.access(5) man page. > > <EOF> That's an alarmingly fragile-looking procedure... is it really impossible to fix this just by loading a corrected slapd.conf? Well, at any rate I can see why you might not want to cram that into a debconf dialogue! -- JBR with qualifications in linguistics, experience as a Debian sysadmin, and probably no clue about this particular package -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org