mirror of
https://github.com/lldap/lldap.git
synced 2026-04-25 08:15:52 +03:00
[GH-ISSUE #563] Deleted admin account gets recreated with default password #204
Labels
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/lldap-lldap#204
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @hpaantee on GitHub (Apr 24, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/563
First of all, thanks for developing this great software. It's easy to use and deploy.
However, I just noticed that when you delete the default admin "admin", it gets recreated with the default password and privileges.
That means, to e.g. protect against brute force attacks, deleting it and using another admin account (with different name) instead, this recreates the default one.
This seems dangerous, as people might not suspect that behavior and allows access to ldap via the typical admin/password combo.
Currently I changed it's password and removed it from the administrator group. But lldap should just check if there is at least one other user member of the administrator group.
@nitnelave commented on GitHub (Apr 24, 2023):
I think we can simply check whether there are any users, it shouldn't be possible as an admin to remove yourself from the admin group, so there will always be one.