[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Building openldap with overlays



From: Michael Ströder [mailto:michael@stroeder.com] 
>> During a Modify/Password operation,
>> multiple attributes are being modified, some requested by the user, so 
>> the operation must be performed as the user.

>Hmm, are there any security considerations with 'pwdFailureTime' and >'pwdAccountLockedTime' being modifiable by the user?

They're only modifiable by the user if you have a by self write acl that affects them, certainly in my configuration the only thing most users can change is their own password (and pwdReset but see below), and I would imagine that most people would set their directory up with similarly limited permissions for users.  For example by allowing users to write to all attributes in their own directory entry it would be far too tempting to changes ones uidNumber to 0 - rather more of a risk than them changing their pwdFailureTime.  You can't add NO-USER-MODIFICATION to pwdAccountLockedTime as your sysadmins need to able to lock accounts, so ACL's seem the best approach to me. 

In order to get all this to work as intended (without the user having write access to all these attributes)  I've had to add NO-USER-MODIFICATION to pwdChangedTime, pwdGraceUseTime, pwdExpirationWarned and pwdHistory.  I've also had to allow (in slapd.conf) access to attrs=pwdReset by self write.  That might look at first glance like a bad idea, but I think its okay.  pwdReset needs to be deleted when the user resets their password, so you either have to allow the user write access to it or make it NO-USER-MODIFICATION - doing the latter would prevent users in the sysadmin group (which I've also given write access to) from expiring a users password.  Although the user theoretically has write access to pwdReset this doesn't help them when pwdReset: TRUE because they would need to reset their password before they are able to change pwdReset anyway (I hope thats correct!)




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.