Account admins can set any password under System Accounts

Bug #306329 reported by Andreas Hasenack
2
Affects Status Importance Assigned to Milestone
OpenLDAP DIT
Fix Committed
Undecided
Unassigned

Bug Description

This ACL:
# userPassword access
# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
access to dn.subtree="dc=example,dc=com"
        attrs=shadowLastChange
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,dc=example,dc=com" write
        by * read
access to dn.subtree="dc=example,dc=com"
        attrs=userPassword
        by group.exact="cn=Account Admins,ou=System Groups,dc=example,dc=com" write
        by self write
        by anonymous auth
        by * none

Allows account admins to set passwords also under ou=System Accounts, allowing them to become Ldap Admins for example.

Related branches

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Fixed in trunk

Changed in openldap-dit:
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers