On Tue, Jan 25, 2005 at 10:50:46AM -0500, Ted Zlatanov wrote: > > Great. Should your patch also guard against this possibility, though? > That was my original concern. Someone malicious could set their > mailAlternateAddress and break someone else's login in your system.
You could possibly guard against this (I haven't tried it myself) by setting read only access to "mail" and "mailAlternateAddress" to user "self" in the slapd.conf file: http://www.openldap.org/doc/admin22/slapdconfig.html#Access%20Control I haven't tried it though. And then force users to go through a webpage to add aliases to their account. That might seem like a pain, but I wouldn't want users adding aliases of other known users and reading their email. I'm not sure if there is a way to put into the qmail-ldap LDAP schema that mail and mailAlternateAddress should be unique across all users -- there might be a way with "mail" as openldap doesn't allow you to create two users with the same DN. But I doubt there is a way with the multi field mailAlternateAddress. > In the current qmail-ldap, this apparently also disables mail > delivery. Perhaps the docs should have a note about this, so users are > not given access to editing of mailAlternateAddress. I was not aware > of this until now - maybe others are not, either. You mean you've never accidently copied an email address to someone else's account without deleting it from the original? Not that I've ever done that myself ... For further protection you could dump the LDAP entries using slapcat and check and see if there's duplicate mail* entries in there. Chris
