Your message dated Fri, 11 Sep 2015 09:32:21 +0000 with message-id <[email protected]> and subject line Bug#669235: fixed in openldap 2.4.42+dfsg-2 has caused the Debian Bug report #669235, regarding Incorrect/unoptimal ACL prevent nss/shadow to work with anonymous bind to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 669235: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669235 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: slapd Version: 2.4.23-7.2 [I still use the slapd.conf file, not cn=schema, but i think that it is the same...] The default configuration file slapd.conf (supplied/handled by debconf on /etc/ldap/, or provided as example on /usr/share/doc/slapd/examples/slapd.conf) usa an unoptimal ACL: access to attrs=userPassword,shadowLastChange by dn="@ADMIN@" write by anonymous auth by self write by * none this ACL prevent the anonymous (read) access to 'shadowLastChange', preventing nss (i've tested libnss-ldap and libnss-ldaps/nslcd, it is the same), if configured to use anonymous bind, to correctly handle password expiration saved on LDAP. With libnss-ldap, you can set 'rootbinddn', with libnss-ldaps/nslcd you are forced to bind with sufficient privileges. I think that 'shadowLastChange' is an information that does't need more privacy then others Shadow* ones, so i propose this new ACL: access to attrs=userPassword by dn="@ADMIN@" write by anonymous auth by self write by * none access to attrs=shadowLastChange by dn="@ADMIN@" write by self write by * read Thanks.
--- End Message ---
--- Begin Message ---Source: openldap Source-Version: 2.4.42+dfsg-2 We believe that the bug you reported is fixed in the latest version of openldap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ryan Tandy <[email protected]> (supplier of updated openldap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 10 Sep 2015 20:13:17 -0700 Source: openldap Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg Architecture: source Version: 2.4.42+dfsg-2 Distribution: unstable Urgency: medium Maintainer: Debian OpenLDAP Maintainers <[email protected]> Changed-By: Ryan Tandy <[email protected]> Description: ldap-utils - OpenLDAP utilities libldap-2.4-2 - OpenLDAP libraries libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries libldap2-dev - OpenLDAP development libraries slapd - OpenLDAP server (slapd) slapd-dbg - Debugging information for the OpenLDAP server (slapd) slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd. Closes: 669235 724518 794998 Changes: openldap (2.4.42+dfsg-2) unstable; urgency=medium . [ Ryan Tandy ] * Change explicit Pre-Depends: multiarch-support to ${misc:Pre-Depends}, as recommended by lintian. * Omit slapd, slapd-dbg, and slapd-smbk5pwd from the stage1 build profile. This allows the dependency loop with heimdal to be broken for bootstrapping, and the dependency on libperl-dev to be avoided for cross-building. Thanks Daniel Schepler and Helmut Grohne. (Closes: #724518) * Apply wrap-and-sort to the Build-Depends field. * Drop libncurses5-dev from Build-Depends, no longer needed since the ud tool was removed in OpenLDAP 2.1.4. * Drop libltdl3-dev as an alternate Build-Depends, since that package was removed after lenny. * Annotate Build-Depends on perl with :any to allow running the system perl interpreter during cross builds. * Ensure CC is set correctly for cross builds. Thanks Helmut Grohne. * Build-Depend on dpkg-dev (>= 1.17.14) and debhelper (>= 9.20141010) for restriction formula support. * Override the 'dev-pkg-without-shlib-symlink' lintian tag. The symlink is actually in the form libldap_r.so -> libldap_r-2.4.so.xyz and the tag is a false positive; see #687022. * Include the smbk5pwd man page in the slapd-smbk5pwd package. * Allow anonymous read access to the shadowLastChange attribute by default, allowing nss-ldap/nss-ldapd to handle password expiry correctly even when bound anonymously. This was the only restricted shadow attribute, the others were already world-readable. (Closes: #669235) * Drop the redundant default ACL for dn.base="" from the database entry. It's already covered by the fallback case below. * Copy more comments from the slapd.conf template to slapd.init.ldif. Also comment the shadowLastChange access rule. * Import upstream patch to remove an unnecessary assert(0) that could be triggered remotely by an unauthenticated user by sending a malformed BER element. (ITS#8240) . [ Peter Marschall ] * Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to install the new manual page. (Closes: #794998) Checksums-Sha1: 054ba8a83a833789fe536211e00f14dbfb0e38c4 2902 openldap_2.4.42+dfsg-2.dsc 6f8e74cbaf22ee918719c52a8fd0c4cf73a831b4 152620 openldap_2.4.42+dfsg-2.debian.tar.xz Checksums-Sha256: 66bd0c7ccc8997008a4e8c734cb2ee7fed5ac6897217389dc5647ff86bfbac01 2902 openldap_2.4.42+dfsg-2.dsc 6a9bb42aeb745dd2b18765ab067401d450bbf97f8822356fa175397cb9257199 152620 openldap_2.4.42+dfsg-2.debian.tar.xz Files: 749bb6b35d72f415165ae16a4307c0cd 2902 net optional openldap_2.4.42+dfsg-2.dsc b144cbc20d844d1696a8be03da49c4f5 152620 net optional openldap_2.4.42+dfsg-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJV8pJNAAoJEKmDSiJSB45Otq4P/2OtVRrPAtg4F4U4LlYyDoCQ qf/emdtJV5dZwIDrckymXCcFPXEGcta1aYeNUqHFNAxW8zi89J2ISzhyhmwh4KdJ fZhjHBmTdJJLJrvU49aItvYflYcPT8UZ9VbXe8OjHTfq1uWO0iTrpPYBX+KUcwd7 haO0dpmvfBJOq98v7i2tSxg3rlH40S6aAbclMfLVxV6lRC0ixwa9m4050CoFWZoP TNy1Qsgbazo3ot7pAjLwlgaK9bzfG3uyHv4NecHoJajWf0FVlAlYM3BEfJh2pTFT KkbR75m2KejrTy0yzcnxK6pdpe4ABWEbPp2Ky6foqy3M809OzpAOB+WnJjGfFZpO 66aCj7fY+rRDuMUOpMu3Q+D+usj/RHpkD+YvbEREvdNTM9R/ZYuQihHGHj4cWo1v YHUp5z+FyyUUytoiFLV1h5J5fGBzL6FsYMH0et7vSttUPP111mLvTlTUbkgfdLgj Zyv5zoULldQNxCivfYRTnMgyRh6LQJNHD5dTb+yuGIbvQeKHp9P+QOGOg0RHDEsa bUaLgDOpOLrnx1+jrtfCnS1v1fCDVP+1CuVbvX2LmErvnRBu8lMEzcpqnlPJXL0+ hpTRgKTgw/saJoZeLFn33f/KFBSKBiAwLJSjJgi2XhQtJncDbp4PNlMWJU20G7ms 6B+ka9e5mj+I8VZuq3og =mFcQ -----END PGP SIGNATURE-----
--- End Message ---

