Package: pure-ftpd-ldap Version: 1.0.21-8 Severity: minor
The pure-ftpd LDAP support need to read the userPassword attribute of an user to give it access. This is the wrong way to do this, because reading that attribute for all users need a privileged access to the LDAP database. >From what I see starting slapd in debug mode pure-ftpd ask for the userPassword attribute, and because I have an error if I do anonimous binding and it's working if I use the LDAP admin user, I suppose that pure-ftpd is checking the password on its own, using the value of userPassword. This is bad for two reason: you need to give privileged access and the password must be in a format recognised by pure-ftpd. The standard way to authenticate an user using LDAP is to do a bind with that user. This way the server does the authentication, you don't need a priveleged access, and you don't need to do any check. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable'), (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.21-2-686 Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Versions of packages pure-ftpd-ldap depends on: ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries ii libcap1 1:1.10-14 support for getting/setting POSIX. ii libldap2 2.1.30-13.3 OpenLDAP libraries ii libpam0g 0.79-4 Pluggable Authentication Modules l ii libssl0.9.8 0.9.8c-4 SSL shared libraries ii pure-ftpd-common 1.0.21-8 Pure-FTPd FTP server (Common Files pure-ftpd-ldap recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
