pykolab/setup
Jeroen van Meeuwen
vanmeeuwen at kolabsys.com
Mon Jun 3 13:02:26 CEST 2013
pykolab/setup/setup_ldap.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 73d81a101b3434d0162b3ca961ca5767b84a99af
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Mon Jun 3 12:01:09 2013 +0100
Prevent search access from allowing users to read userpassword attributes
diff --git a/pykolab/setup/setup_ldap.py b/pykolab/setup/setup_ldap.py
index 5eb05d5..f6576f1 100644
--- a/pykolab/setup/setup_ldap.py
+++ b/pykolab/setup/setup_ldap.py
@@ -655,7 +655,7 @@ ServerAdminPwd = %(admin_pass)s
aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)')
aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)')
aci.append('(targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-%(hostname)s,cn=389 Directory Server,cn=Server Group,cn=%(fqdn)s,ou=%(domain)s,o=NetscapeRoot";)' %(_input))
- aci.append('(targetattr = "*") (version 3.0;acl "Search Access";allow (read,compare,search)(userdn = "ldap:///all");)')
+ aci.append('(targetattr != "userPassword") (version 3.0;acl "Search Access";allow (read,compare,search)(userdn = "ldap:///all");)')
modlist = []
modlist.append((ldap.MOD_REPLACE, "aci", aci))
auth._auth.ldap.modify_s(dn, modlist)
More information about the commits
mailing list