Frontend DB needs ACLs for base="" and cn=subschema - schema and base dn are not accessible via anonymous connections by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
Bug Description
The current installation of slapd doesn't allow for searches in the empty base (dn="") and the schema entries. These are needed by several client tools to, among other things:
- check what the server schema is (luma, apache directory studio)
- discover what the server supports (the -s base -b "" + search), like authentication mechanisms, extensions, etc
This ldapmodify fixes it after the server is running, so it should give you hints on where to add it properly in the package:
dn: olcDatabase=
changetype: modify
add: olcAccess
olcAccess: to dn.base="" by * read
olcAccess: to dn.base=
UPDATE: the base for the schema is actually cn=subschema, and not cn=schema
description: | updated |
summary: |
- [karmic] frontend DB needs ACLs for base="" and cn=schema + [karmic] frontend DB needs ACLs for base="" and cn=subschema |
summary: |
- [karmic] frontend DB needs ACLs for base="" and cn=subschema + Frontend DB needs ACLs for base="" and cn=subschema - schema and base dn + are not accessible via anonymous connections by default |
What would be the security implication of opening read access to anyone
(by *)?