OpenLDAP DIT

Implement DIT Content Rules or similar

Bug #310578 reported by Andreas Hasenack on 2008-12-22

Affects		Status	Importance	Assigned to	Milestone
	OpenLDAP DIT	New	Undecided	Unassigned

Bug Description

Current ACLs cannot prevent, for example, DNS Administrators from creating a posixAccount entry under ou=dns and give it the uidNumber of root (zero). A poorly configured nss_ldap client which is pointing at the root of the tree instead of the ou=people branch would then accept that entry as a valid one for the unix root user.

To prevent this, we should use DIT Content Rules, which specifically control what kind of entries can be created. Here is a short explanation:
http://www.openldap.org/faq/data/cache/1473.html

Another very attractive option, and perhaps even a better one, is to use a new feature in OL >= 2.4.13 called "add_content_acl yes":
http://www.openldap.org/faq/data/cache/1474.html

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.