COMMAND

	OpenLDAP users  may  remove  non-mandatory  attributes  from  object  in
	directory

SYSTEMS AFFECTED

	OpenLDAP from 2.0.0 through 2.0.19

PROBLEM

	In Red Hat security advisory [RHSA-2002:014-07]  [http://www.redhat.com]
	:
	

	OpenLDAP does not check permissions using access control  lists  when  a
	user attempts to remove an attribute from an object in the directory  by
	replacing its values with an empty  list.  Because  schema  checking  is
	still enforced, a user can only remove attributes which the schema  does
	not require the object to possess.

SOLUTION

	Update to OpenLDAP version 2.0.21, see :
	

	http://www.openldap.org/lists/openldap-announce/200201/msg00002.html