[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Bug 1146] Need to tune slapd.conf to allow admins to create users, and jrAdmins to change passwords


daniel@rio-grande.ping.de changed:

           What    |Removed                     |Added
           Severity|major                       |blocker
           Priority|P2                          |P1

------- Additional Comments From daniel@rio-grande.ping.de  2007-07-01 01:14 -------

I've poked a bit on this issue. Here is what I found out:

First of all, the first half of the svn change to slapd-etch_debian-edu.conf
introduced by revision 35029 is correct. This is needed by Lwat to work
correctly (limiting it to read,write and search would be sufficient, but write
only add auth and compare to that list and that should not be a problem). The
other half does indeed introduce a problem to libnss-ldap and breaks tjener that
way. As libnss-ldap binds anonymously to the ldap it will not be able to read
anything (from interest). One could argue that it does not really need to have
read (as in read,search,compare and auth) access the whole tree (with exclusion
of the attributes userPassword, shadowLastChange, sambaLMPassword and
sambaNTPassword which no access to is granted), but this would be a major
change. To get the system working again, the "Defaultaccess" needs to be
reactivated again.

Furthermore, when it comes to a cleanup, the 'by
dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"' lines could be
removed, as they are ignored, because the rootdn is always granted all
privileges to the whole tree.

To make a long story short: Easiest fix is to reintroduce the Defaultaccess
rule. Harder fix is to rethink the libnss-ldap libpam-ldap thing and only grant
stricter access for them.

Last but not least, the problem did not show up right after the change, because
nscd does cache the data from ldap for a while, so after a change to the slapd
one should restart nscd to get the cached values out of the way.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Reply to: