Quanah Gibson-Mount wrote: > --On Tuesday, May 29, 2012 4:08 PM +0000 [email protected] wrote: > >>> It is a problem that a slappasswd user must have read privilage >>> on slapd.conf (or slapd.d) by this patch... >> >> slappasswd is an administrative command; if you don't have administrator >> access already you have no business running it. > > What in any way makes it administrative? You simply give it a password to > convert into whatever scheme for you. Where is the administrative > requirement? Why shouldn't X user with some particular permissions into > the database, but not the configuration, be able to run it to generate a > value?
slap*(8) are all administrative tools, by definition. You should already know that. Why should X user ever need to run this tool to generate a value? slapd generates users' password values automatically. The only time anyone ever *needs* this tool is for setting a rootpw in the slapd config. That's the only reason this tool exists and it is the only valid use case. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
