OpenLDAP DIT

Account admins can set any password under System Accounts

Bug #306329 reported by Andreas Hasenack
2
Affects Status Importance Assigned to Milestone
OpenLDAP DIT
Fix Committed
Undecided
Unassigned

Bug Description

This ACL:
# userPassword access
# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
access to dn.subtree="dc=example,dc=com"
        attrs=shadowLastChange
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,dc=example,dc=com" write
        by * read
access to dn.subtree="dc=example,dc=com"
        attrs=userPassword
        by group.exact="cn=Account Admins,ou=System Groups,dc=example,dc=com" write
        by self write
        by anonymous auth
        by * none

Allows account admins to set passwords also under ou=System Accounts, allowing them to become Ldap Admins for example.

Related branches

lp://staging/openldap-dit
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Fixed in trunk

Changed in openldap-dit:
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.