summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2013-06-03 12:01:09 +0100
committerJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2013-06-03 12:01:41 +0100
commit481936527f5f65a80e83c4807b79c7a1c0f272bf (patch)
treebd656bfbbebed70c92cebd4bce918d1480e1f3f8
parent38023876abbdb0dcea25d56c8e3e6277ec13f80a (diff)
downloadpykolab-481936527f5f65a80e83c4807b79c7a1c0f272bf.tar.gz
Prevent search access from allowing users to read userpassword attributes
-rw-r--r--pykolab/setup/setup_ldap.py2
1 files changed, 1 insertions, 1 deletions
diff --git a/pykolab/setup/setup_ldap.py b/pykolab/setup/setup_ldap.py
index dd06293..05dd687 100644
--- a/pykolab/setup/setup_ldap.py
+++ b/pykolab/setup/setup_ldap.py
@@ -553,7 +553,7 @@ ServerAdminPwd = %(admin_pass)s
aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)')
aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)')
aci.append('(targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-%(hostname)s,cn=389 Directory Server,cn=Server Group,cn=%(fqdn)s,ou=%(domain)s,o=NetscapeRoot";)' %(_input))
- aci.append('(targetattr = "*") (version 3.0;acl "Search Access";allow (read,compare,search)(userdn = "ldap:///all");)')
+ aci.append('(targetattr != "userPassword") (version 3.0;acl "Search Access";allow (read,compare,search)(userdn = "ldap:///all");)')
modlist = []
modlist.append((ldap.MOD_REPLACE, "aci", aci))
auth._auth.ldap.modify_s(dn, modlist)