Quanah Gibson-Mount wrote:
--On Tuesday, May 29, 2012 4:08 PM +0000 hyc(a)symas.com wrote:
>> It is a problem that a slappasswd user must have read privilage
>> on slapd.conf (or slapd.d) by this patch...
> slappasswd is an administrative command; if you don't have administrator
> access already you have no business running it.
What in any way makes it administrative? You simply give it a password to
convert into whatever scheme for you. Where is the administrative
requirement? Why shouldn't X user with some particular permissions into
the database, but not the configuration, be able to run it to generate a
slap*(8) are all administrative tools, by definition. You should already know
Why should X user ever need to run this tool to generate a value? slapd
generates users' password values automatically. The only time anyone ever
*needs* this tool is for setting a rootpw in the slapd config. That's the only
reason this tool exists and it is the only valid use case.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/