Your message dated Fri, 11 Sep 2015 09:32:21 +0000
with message-id <[email protected]>
and subject line Bug#669235: fixed in openldap 2.4.42+dfsg-2
has caused the Debian Bug report #669235,
regarding Incorrect/unoptimal ACL prevent nss/shadow to work with anonymous bind
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
669235: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669235
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: slapd
Version: 2.4.23-7.2

[I still use the slapd.conf file, not cn=schema, but i think that it is
the same...]

The default configuration file slapd.conf (supplied/handled by debconf
on /etc/ldap/, or provided as example on 
/usr/share/doc/slapd/examples/slapd.conf)
usa an unoptimal ACL:

 access to attrs=userPassword,shadowLastChange
        by dn="@ADMIN@" write
        by anonymous auth
        by self write
        by * none

this ACL prevent the anonymous (read) access to 'shadowLastChange',
preventing nss (i've tested libnss-ldap and libnss-ldaps/nslcd, it is
the same), if configured to use anonymous bind, to correctly handle
password expiration saved on LDAP.
With libnss-ldap, you can set 'rootbinddn', with libnss-ldaps/nslcd you
are forced to bind with sufficient privileges.

I think that 'shadowLastChange' is an information that does't need more
privacy then others Shadow* ones, so i propose this new ACL:

 access to attrs=userPassword
        by dn="@ADMIN@" write
        by anonymous auth
        by self write
        by * none
 access to attrs=shadowLastChange
        by dn="@ADMIN@" write
        by self write
        by * read

Thanks.



--- End Message ---
--- Begin Message ---
Source: openldap
Source-Version: 2.4.42+dfsg-2

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Tandy <[email protected]> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 10 Sep 2015 20:13:17 -0700
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg 
libldap2-dev slapd-dbg
Architecture: source
Version: 2.4.42+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenLDAP Maintainers 
<[email protected]>
Changed-By: Ryan Tandy <[email protected]>
Description:
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 669235 724518 794998
Changes:
 openldap (2.4.42+dfsg-2) unstable; urgency=medium
 .
   [ Ryan Tandy ]
   * Change explicit Pre-Depends: multiarch-support to ${misc:Pre-Depends}, as
     recommended by lintian.
   * Omit slapd, slapd-dbg, and slapd-smbk5pwd from the stage1 build profile.
     This allows the dependency loop with heimdal to be broken for
     bootstrapping, and the dependency on libperl-dev to be avoided for
     cross-building. Thanks Daniel Schepler and Helmut Grohne.
     (Closes: #724518)
   * Apply wrap-and-sort to the Build-Depends field.
   * Drop libncurses5-dev from Build-Depends, no longer needed since the ud
     tool was removed in OpenLDAP 2.1.4.
   * Drop libltdl3-dev as an alternate Build-Depends, since that package was
     removed after lenny.
   * Annotate Build-Depends on perl with :any to allow running the system perl
     interpreter during cross builds.
   * Ensure CC is set correctly for cross builds. Thanks Helmut Grohne.
   * Build-Depend on dpkg-dev (>= 1.17.14) and debhelper (>= 9.20141010) for
     restriction formula support.
   * Override the 'dev-pkg-without-shlib-symlink' lintian tag. The symlink is
     actually in the form libldap_r.so -> libldap_r-2.4.so.xyz and the tag is a
     false positive; see #687022.
   * Include the smbk5pwd man page in the slapd-smbk5pwd package.
   * Allow anonymous read access to the shadowLastChange attribute by default,
     allowing nss-ldap/nss-ldapd to handle password expiry correctly even when
     bound anonymously. This was the only restricted shadow attribute, the
     others were already world-readable. (Closes: #669235)
   * Drop the redundant default ACL for dn.base="" from the database entry.
     It's already covered by the fallback case below.
   * Copy more comments from the slapd.conf template to slapd.init.ldif. Also
     comment the shadowLastChange access rule.
   * Import upstream patch to remove an unnecessary assert(0) that could be
     triggered remotely by an unauthenticated user by sending a malformed BER
     element. (ITS#8240)
 .
   [ Peter Marschall ]
   * Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to
     install the new manual page. (Closes: #794998)
Checksums-Sha1:
 054ba8a83a833789fe536211e00f14dbfb0e38c4 2902 openldap_2.4.42+dfsg-2.dsc
 6f8e74cbaf22ee918719c52a8fd0c4cf73a831b4 152620 
openldap_2.4.42+dfsg-2.debian.tar.xz
Checksums-Sha256:
 66bd0c7ccc8997008a4e8c734cb2ee7fed5ac6897217389dc5647ff86bfbac01 2902 
openldap_2.4.42+dfsg-2.dsc
 6a9bb42aeb745dd2b18765ab067401d450bbf97f8822356fa175397cb9257199 152620 
openldap_2.4.42+dfsg-2.debian.tar.xz
Files:
 749bb6b35d72f415165ae16a4307c0cd 2902 net optional openldap_2.4.42+dfsg-2.dsc
 b144cbc20d844d1696a8be03da49c4f5 152620 net optional 
openldap_2.4.42+dfsg-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJV8pJNAAoJEKmDSiJSB45Otq4P/2OtVRrPAtg4F4U4LlYyDoCQ
qf/emdtJV5dZwIDrckymXCcFPXEGcta1aYeNUqHFNAxW8zi89J2ISzhyhmwh4KdJ
fZhjHBmTdJJLJrvU49aItvYflYcPT8UZ9VbXe8OjHTfq1uWO0iTrpPYBX+KUcwd7
haO0dpmvfBJOq98v7i2tSxg3rlH40S6aAbclMfLVxV6lRC0ixwa9m4050CoFWZoP
TNy1Qsgbazo3ot7pAjLwlgaK9bzfG3uyHv4NecHoJajWf0FVlAlYM3BEfJh2pTFT
KkbR75m2KejrTy0yzcnxK6pdpe4ABWEbPp2Ky6foqy3M809OzpAOB+WnJjGfFZpO
66aCj7fY+rRDuMUOpMu3Q+D+usj/RHpkD+YvbEREvdNTM9R/ZYuQihHGHj4cWo1v
YHUp5z+FyyUUytoiFLV1h5J5fGBzL6FsYMH0et7vSttUPP111mLvTlTUbkgfdLgj
Zyv5zoULldQNxCivfYRTnMgyRh6LQJNHD5dTb+yuGIbvQeKHp9P+QOGOg0RHDEsa
bUaLgDOpOLrnx1+jrtfCnS1v1fCDVP+1CuVbvX2LmErvnRBu8lMEzcpqnlPJXL0+
hpTRgKTgw/saJoZeLFn33f/KFBSKBiAwLJSjJgi2XhQtJncDbp4PNlMWJU20G7ms
6B+ka9e5mj+I8VZuq3og
=mFcQ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to