[Bug 427842] Re: [karmic] frontend DB needs ACLs for base="" and cn=schema
Mathias Gug
mathiaz at ubuntu.com
Fri Sep 11 15:43:31 BST 2009
On Fri, Sep 11, 2009 at 02:20:29PM -0000, Andreas Hasenack wrote:
> IIRC that's the way it is by default with slapd.conf, so we are keeping
> the same privileges in cn=config.
>
Well - IIRC the default slapd.conf was 'access to * by * read' for the
default database:
access to *
by dn="@ADMIN@" write
by * read
> The base "" was meant to be readable by everyone because it advertises
> the capabilities of the server. Without it, for example, a client can't
> know if the server supports START TLS or not. And this discovery has
> implications in the authentication mechanism the client will decide to
> use next, so clients may not even be able to authenticated without
> having this information beforehand. Chicken and egg.
>
Right. So 'olcAccess: to dn.base="" by *' read makes sense and should be
added to the default ACL list.
> If the schema is not public, it will break many clients doing anonymous
> browsing of the server. So if the intent of the admin is to allow as
> little as possible anonymous connections, this acls could be changed to
> read "by users read". But I still think some random client might break.
> For example, if it tries to check for the schema before being
> authenticated.
It seems that we'll have to make a choice between security and
backward-compatibility. I'd like to get the opinion of the security team
for this one.
Should a default slapd installation have 'olcAccess: to
dn.base="cn=schema" by * read' ?
subscribe ubuntu-security
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com
--
[karmic] frontend DB needs ACLs for base="" and cn=schema
https://bugs.launchpad.net/bugs/427842
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.
More information about the Ubuntu-server-bugs
mailing list