Hi,
the debian package for slapd ships with ACLs which basically give to
every users (DNs in LDAP parlance) write rights on its own data. The
problem with this approach is that LDAP servers are used mostly as a
repository of policies and permissions about users, and users aren't
expected to be able to set their own policy and persmissions
(administrators are).
So, a more sensible solution is ship the server with a read only
default. An exception may be considered for the userPassword attribute,
but this should be evaluated by taking in consideration how the LDAP
server relates with other application and how it is used; in fact, it is
a decision to be made by local administrators.
What do you think ?
Regards, Maurizio.
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50619ff8.7080...@unixrulez.org
