Opened 18 years ago
Last modified 15 years ago
#54 closed task
LDAP security settings - self update, hide password — at Initial Version
| Reported by: | warmerdam | Owned by: | hobu |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | SysAdmin | Keywords: | |
| Cc: |
Description
The following script does *not* have permission to update the cn field for it's own user (even when the cred is set properly). But I think it should.
#!/usr/bin/env python
import ldap import ldap.filter import sys import md5 import base64
server = 'ldap.osgeo.org' who = 'uid=warmerdam,ou=People,dc=osgeo,dc=org' cred = 'xx'
l = ldap.open(server) l.simple_bind_s(who,cred)
l.modify_s( who, [ (ldap.MOD_REPLACE,'cn','NF Warmerdam') ] )
The /etc/openldap/slapd.conf uses the following permissions:
access to *
by self write by users read by anonymous auth
As I read the docs at:
http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control
This should do what we want, but somehow it isn't.
I'd add our current ldap permissions allow any authenticated user to read everything in ldap, including everyone elses encrypted password which is sufficient to authenticate as these other users. We should really add a pre-rule something like:
access to attr=userPassword
by self write by anonymous auth by dn.base="cn=Manager,dc=osgeo,dc=org" write by * none
