[Date Prev][Date Next] [Chronological] [Thread] [Top]

proxy auth and userpassword access

To: openldap-software@openldap.org
Subject: proxy auth and userpassword access
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Wed, 22 Aug 2007 08:25:31 +0200
User-agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.5 (chestnut, linux)

Hi,
when using proxy authentication with strong bind, the attribute
userPassword has to have read access, that is, auth access is not
sufficient Is there any particular reason for this potential security
hole?

slapd[7028]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci,c=de", attr "userPassword" requested
slapd[7028]: => acl_mask: to value by "cn=admanager,o=avci,c=de", (=0) 
slapd[7028]: <= check a_dn_pat: self
slapd[7028]: <= check a_dn_pat: *
slapd[7028]: <= acl_mask: [2] applying auth(=xd) (stop)
slapd[7028]: <= acl_mask: [2] mask: auth(=xd)
slapd[7028]: => slap_access_allowed: read access denied by auth(=xd)
slapd[7028]: => access_allowed: no more rules
slapd[7028]: send_search_entry: conn 3 access to attribute userPassword, value #0 not allowed
 
-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6

Follow-Ups:
- Re: proxy auth and userpassword access
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: is this possible
Next by Date: Re: High availability
Index(es):
- Chronological
- Thread