Implement DIT Content Rules or similar

Bug #310578 reported by Andreas Hasenack
4
Affects Status Importance Assigned to Milestone
OpenLDAP DIT
New
Undecided
Unassigned

Bug Description

Current ACLs cannot prevent, for example, DNS Administrators from creating a posixAccount entry under ou=dns and give it the uidNumber of root (zero). A poorly configured nss_ldap client which is pointing at the root of the tree instead of the ou=people branch would then accept that entry as a valid one for the unix root user.

To prevent this, we should use DIT Content Rules, which specifically control what kind of entries can be created. Here is a short explanation:
http://www.openldap.org/faq/data/cache/1473.html

Another very attractive option, and perhaps even a better one, is to use a new feature in OL >= 2.4.13 called "add_content_acl yes":
http://www.openldap.org/faq/data/cache/1474.html

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers