external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-04 00:17:06 +00:00
Code Issues Releases Wiki Activity

Allow the nextcloud service account to be able to change user account passwords.

Browse Source 
This should be removed once Nextcloud Server iss 18406 is fixed.
This commit is contained in:
downtownallday 2022-04-08 10:05:34 -04:00
parent 98f4e5b2fc
commit 70475cc294
2 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
setup/ldap.sh
View File

@ -579,6 +579,15 @@ apply_access_control() {
ldapmodify -Q -Y EXTERNAL -H ldapi:/// >/dev/null <<EOF ldapmodify -Q -Y EXTERNAL -H ldapi:/// >/dev/null <<EOF
dn: $cdn dn: $cdn
replace: olcAccess replace: olcAccess
# the next line is for nextcloud to be able to change user account
# passwords. remove it when nextcloud server issue #18406 is fixed
olcAccess: to dn.subtree="${LDAP_USERS_BASE}" attrs=userPassword
by dn.exact="cn=management,${LDAP_SERVICES_BASE}" write
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=nextcloud,${LDAP_SERVICES_BASE}" write
by self =wx
by anonymous auth
by * none
olcAccess: to attrs=userPassword olcAccess: to attrs=userPassword
by dn.exact="cn=management,${LDAP_SERVICES_BASE}" write by dn.exact="cn=management,${LDAP_SERVICES_BASE}" write
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read

29
tests/suites/ldap-access.sh
View File

@ -19,6 +19,10 @@
# no anonymous binds to root DSE # no anonymous binds to root DSE
# no anonymous binds to database # no anonymous binds to database
# #
# Exception: the nextcloud service account is allowed to change user
# passwords until this issue is fixed:
#
# https://github.com/nextcloud/server/issues/18406
test_user_change_password() { test_user_change_password() {
@ -113,6 +117,30 @@ test_user_access() {
} }
test_nextcloud_service_access() {
# The nextcloud service account is allowed to change user
# passwords until issue #18406 is fixed
test_start "nextcloud-service-access"
# create regular user with password "alice"
local alice="alice@somedomain.com"
create_user "alice@somedomain.com" "alice"
local alice_dn="$ATTR_DN"
# allowed: update userPassword of a user account
assert_w_access "$alice_dn" "$LDAP_NEXTCLOUD_DN" "$LDAP_NEXTCLOUD_PASSWORD" write "userPassword=$(slappasswd_hash "alice-new")"
# not allowed: update userPassword of service account
assert_w_access "$LDAP_POSTFIX_DN" "$LDAP_NEXTCLOUD_DN" "$LDAP_NEXTCLOUD_PASSWORD" no-write "userPassword=$(slappasswd_hash "test-new")"
# not allowed: update userPassword of own account
assert_w_access "$LDAP_NEXTCLOUD_DN" "$LDAP_NEXTCLOUD_DN" "$LDAP_NEXTCLOUD_PASSWORD" no-write "userPassword=$(slappasswd_hash "test-new")"
delete_user "$alice"
test_end
}
test_service_change_password() { test_service_change_password() {
# service accounts should not be able to change other user's # service accounts should not be able to change other user's
@ -249,6 +277,7 @@ test_user_change_password
test_user_access test_user_access
test_service_change_password test_service_change_password
test_service_access test_service_access
test_nextcloud_service_access
test_root_dse test_root_dse
test_anon_bind test_anon_bind