Bug#673400: marked as done (slapd: normal user is able to change/delete/unset the password of other users)

Wed, 25 Mar 2020 10:36:19 -0700 

Your message dated Wed, 25 Mar 2020 10:32:35 -0700
with message-id <20200325173235.ga5...@t570.nardis.ca>
and subject line Re: slapd: normal user is able to change/delete/unset the 
password of other users
has caused the Debian Bug report #673400,
regarding slapd: normal user is able to change/delete/unset the password of 
other users
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
673400: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673400
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: slapd
Version: 2.4.23-7.2
Severity: normal

I've installed slapd on a plain debian squeeze together with 
ldap-account-manager. 

After configuring slapd with dpkg-reconfigure, I logged in as admin on the 
ldap-account-manager and created 2 users (user1, user2). I logged in as user1 
and changed personal information. I noticed, that I am not able to change 
values of user2 except for the password. It's possible, logged in as user1, to 
change/delete/unset the password of user2 and vice versa. It seems that the 
standard setup lacks something like the following lines:

access to attr=userPassword
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=example,dc=com" write
        by * none

I report this as a critical bug, since it could cause information leakage and 
not wanted privileges to services that authenticate against LDAP.


-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser                3.112+nmu2        add and remove users and groups
ii  coreutils              8.5-1             GNU core utilities
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  libc6                  2.11.3-3          Embedded GNU C Library: Shared lib
ii  libdb4.8               4.8.30-2          Berkeley v4.8 Database Libraries [
ii  libgnutls26            2.8.6-1+squeeze2  the GNU TLS library - runtime libr
ii  libldap-2.4-2          2.4.23-7.2        OpenLDAP libraries
ii  libltdl7               2.2.6b-2          A system independent dlopen wrappe
ii  libperl5.10            5.10.1-17squeeze3 shared Perl library
ii  libsasl2-2             2.1.23.dfsg1-7    Cyrus SASL - authentication abstra
ii  libslp1                1.2.1-7.8         OpenSLP libraries
ii  libwrap0               7.6.q-19          Wietse Venema's TCP wrappers libra
ii  lsb-base               3.2-23.2squeeze1  Linux Standard Base 3.2 init scrip
ii  perl [libmime-base64-p 5.10.1-17squeeze3 Larry Wall's Practical Extraction 
ii  psmisc                 22.11-1           utilities that use the proc file s
ii  unixodbc               2.2.14p2-1        ODBC tools libraries

Versions of packages slapd recommends:
ii  libsasl2-modules          2.1.23.dfsg1-7 Cyrus SASL - pluggable authenticat

Versions of packages slapd suggests:
ii  ldap-utils                    2.4.23-7.2 OpenLDAP utilities

-- debconf information:
  slapd/internal/generated_adminpw: (password omitted)
* slapd/password2: (password omitted)
  slapd/internal/adminpw: (password omitted)
* slapd/password1: (password omitted)
  slapd/password_mismatch:
  slapd/invalid_config: true
* shared/organization: example.com
  slapd/upgrade_slapcat_failure:
* slapd/backend: HDB
  slapd/dump_database: when needed
* slapd/allow_ldap_v2: false
* slapd/no_configuration: false
* slapd/move_old_database: true
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
* slapd/purge_database: true
* slapd/domain: example.com

--- End Message ---
--- Begin Message --- 
Hello,

My squeeze chroot is long gone, but I tried this on jessie:

1. install slapd and ldap-account-manager;
2. login to LAM configuration and setup the local suffix;
3. login to LAM as admin and create "user1" and "user2" Unix users;
4. login to LAM as user1 and attempt to change user2's password;
5. login to LAM as user2 and attempt to change user1's password.
In both cases the users were prevented from changing the other's password, with an "Insufficient access" error message when "Save" is pressed (note "Set Password" alone does not commit the change, have to actually press "Save").
I'm closing this bug based on that, but feel free to reopen if you can provide a test case that reproduces the issue reported. 

thanks,
Ryan

--- End Message ---

Reply via email to