password change does not work: LDAP, sssd, nss or pam error?
Gordon Messmer
yinyang at eburg.com
Sat Oct 9 17:57:15 UTC 2010
On 10/09/2010 12:53 AM, Volker Potworowski wrote:
> access to *
> by dn.exact="cn=root,dc=teraphim,dc=de" read
> by * none
> access to attrs=userPassword
> by dn.base="cn=Manager,dc=teraphim,dc=de" write
> by anonymous auth
> by self write
> by * none
> access to attrs=shadowLastChange
> by self write
> by * read
> access to *
> by self write
> by * read
I should preface my response with: I run 389 DS. I understand OpenLDAP
reasonably well, but I prefer not to use it. So...
That's weird. I'd expect the first rule to disallow virtually all
access... However, the most important thing is this:
NEVER ALLOW "access to * by self write". NEVER!
If you allow DNs to write to their own attributes, your users can change
their uidNumber to 0 and become root.
The simplest advisable set of ACLs is probably:
access to attrs=userpassword
by anonymous auth
by self write
by * none
access to *
by * read
by anonymous auth
However, even that is unsuitable if you are going to run Samba on LDAP.
The SMB password hashes aren't plain-text, but they ARE plain-text
equivalents! If I can read your SMB password hash, I can log in to your
account on Samba and any other Windows domain member.
Try starting with:
access to attrs=userpassword
by anonymous auth
by self write
by * none
access to
attrs=objectclass,entry,cn,co,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postalCode,sn,st,street,streetAddress,telephoneNumber,title,uid,userPassword,uidNumber,gidNumber,loginShell,homeDirectory,shadowMin,shadowMax,shadowLastChange,shadowWarning,memberUid
by * read
More information about the users
mailing list