Implement DIT Content Rules or similar

Bug #310578 reported by Andreas Hasenack
Affects Status Importance Assigned to Milestone

Bug Description

Current ACLs cannot prevent, for example, DNS Administrators from creating a posixAccount entry under ou=dns and give it the uidNumber of root (zero). A poorly configured nss_ldap client which is pointing at the root of the tree instead of the ou=people branch would then accept that entry as a valid one for the unix root user.

To prevent this, we should use DIT Content Rules, which specifically control what kind of entries can be created. Here is a short explanation:

Another very attractive option, and perhaps even a better one, is to use a new feature in OL >= 2.4.13 called "add_content_acl yes":

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.