[Bug 427842] Re: [karmic] frontend DB needs ACLs for base="" and cn=schema

Mathias Gug mathiaz at ubuntu.com
Fri Sep 11 15:43:31 BST 2009

On Fri, Sep 11, 2009 at 02:20:29PM -0000, Andreas Hasenack wrote:
> IIRC that's the way it is by default with slapd.conf, so we are keeping
> the same privileges in cn=config.

Well - IIRC the default slapd.conf was 'access to * by * read' for the
default database:

access to *
        by dn="@ADMIN@" write
        by * read
> The base "" was meant to be readable by everyone because it advertises
> the capabilities of the server. Without it, for example, a client can't
> know if the server supports START TLS or not. And this discovery has
> implications in the authentication mechanism the client will decide to
> use next, so clients may not even be able to authenticated without
> having this information beforehand. Chicken and egg.

Right. So 'olcAccess: to dn.base="" by *' read makes sense and should be
added to the default ACL list.
> If the schema is not public, it will break many clients doing anonymous
> browsing of the server. So if the intent of the admin is to allow as
> little as possible anonymous connections, this acls could be changed to
> read "by users read". But I still think some random client might break.
> For example, if it tries to check for the schema before being
> authenticated.

It seems that we'll have to make a choice between security and
backward-compatibility. I'd like to get the opinion of the security team
for this one.

Should a default slapd installation have 'olcAccess: to
dn.base="cn=schema" by * read' ?

  subscribe ubuntu-security

Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

[karmic] frontend DB needs ACLs for base="" and cn=schema
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list