[Bug 427842] Re: [karmic] frontend DB needs ACLs for base="" and cn=schema

[Andreas Hasenack]

IIRC that's the way it is by default with slapd.conf, so we are keeping
the same privileges in cn=config.

The base "" was meant to be readable by everyone because it advertises
the capabilities of the server. Without it, for example, a client can't
know if the server supports START TLS or not. And this discovery has
implications in the authentication mechanism the client will decide to
use next, so clients may not even be able to authenticated without
having this information beforehand. Chicken and egg.

If the schema is not public, it will break many clients doing anonymous
browsing of the server. So if the intent of the admin is to allow as
little as possible anonymous connections, this acls could be changed to
read "by users read". But I still think some random client might break.
For example, if it tries to check for the schema before being
authenticated.

-- 
[karmic] frontend DB needs ACLs for base="" and cn=schema
https://bugs.launchpad.net/bugs/427842
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.