Package: phpldapadmin
Version: 0.9.8.3-8
Severity: serious
Hi,
The other day I was unpleasantly surprised that the setting:
$ldapservers->SetValue($i,'auto_number','mechanism','uidpool');
the equivalent of which worked normally in sarge, doesn't actually work
on etch, but is still part of the configuration file.
/usr/share/phpldapadmin/lib/functions.php still describes the mechanism,
but the code was apparently ripped out, uncleanly - the switch($mechanism)
default case still references 'uidpool', but the case for it simply
isn't there.
I found this out after a routine check of home directories showed
inconsistencies - old, deleted users' home directories started being
owned by new users, which were created by phpldapadmin with the old UIDs.
This is a privilege escalation (users being given access to data which
doesn't belong to them), and never should have happened if phpldapadmin
was still honoring my sambaUnixIdPool settings.
A Google search shows that the feature may have been intentionally removed
upstream. The package should have *at least* warned about this on upgrade.
Please fix this. TIA.
--
2. That which causes joy or happiness.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
