pykolab/setup

Jeroen van Meeuwen vanmeeuwen at kolabsys.com
Mon Jun 3 13:02:26 CEST 2013


 pykolab/setup/setup_ldap.py |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

New commits:
commit 73d81a101b3434d0162b3ca961ca5767b84a99af
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Mon Jun 3 12:01:09 2013 +0100

    Prevent search access from allowing users to read userpassword attributes

diff --git a/pykolab/setup/setup_ldap.py b/pykolab/setup/setup_ldap.py
index 5eb05d5..f6576f1 100644
--- a/pykolab/setup/setup_ldap.py
+++ b/pykolab/setup/setup_ldap.py
@@ -655,7 +655,7 @@ ServerAdminPwd = %(admin_pass)s
     aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)')
     aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)')
     aci.append('(targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-%(hostname)s,cn=389 Directory Server,cn=Server Group,cn=%(fqdn)s,ou=%(domain)s,o=NetscapeRoot";)' %(_input))
-    aci.append('(targetattr = "*") (version 3.0;acl "Search Access";allow (read,compare,search)(userdn = "ldap:///all");)')
+    aci.append('(targetattr != "userPassword") (version 3.0;acl "Search Access";allow (read,compare,search)(userdn = "ldap:///all");)')
     modlist = []
     modlist.append((ldap.MOD_REPLACE, "aci", aci))
     auth._auth.ldap.modify_s(dn, modlist)





More information about the commits mailing list