Frontend DB needs ACLs for base="" and cn=subschema - schema and base dn are not accessible via anonymous connections by default

Bug #427842 reported by Andreas Hasenack on 2009-09-11
70
This bug affects 14 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Wishlist
Unassigned
Declined for Lucid by Mathias Gug

Bug Description

The current installation of slapd doesn't allow for searches in the empty base (dn="") and the schema entries. These are needed by several client tools to, among other things:
- check what the server schema is (luma, apache directory studio)
- discover what the server supports (the -s base -b "" + search), like authentication mechanisms, extensions, etc

This ldapmodify fixes it after the server is running, so it should give you hints on where to add it properly in the package:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=subschema" by * read

UPDATE: the base for the schema is actually cn=subschema, and not cn=schema

Mathias Gug (mathiaz) wrote :

What would be the security implication of opening read access to anyone
(by *)?

Changed in openldap (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
Andreas Hasenack (ahasenack) wrote :

IIRC that's the way it is by default with slapd.conf, so we are keeping the same privileges in cn=config.

The base "" was meant to be readable by everyone because it advertises the capabilities of the server. Without it, for example, a client can't know if the server supports START TLS or not. And this discovery has implications in the authentication mechanism the client will decide to use next, so clients may not even be able to authenticated without having this information beforehand. Chicken and egg.

If the schema is not public, it will break many clients doing anonymous browsing of the server. So if the intent of the admin is to allow as little as possible anonymous connections, this acls could be changed to read "by users read". But I still think some random client might break. For example, if it tries to check for the schema before being authenticated.

On Fri, Sep 11, 2009 at 02:20:29PM -0000, Andreas Hasenack wrote:
> IIRC that's the way it is by default with slapd.conf, so we are keeping
> the same privileges in cn=config.
>

Well - IIRC the default slapd.conf was 'access to * by * read' for the
default database:

access to *
        by dn="@ADMIN@" write
        by * read

> The base "" was meant to be readable by everyone because it advertises
> the capabilities of the server. Without it, for example, a client can't
> know if the server supports START TLS or not. And this discovery has
> implications in the authentication mechanism the client will decide to
> use next, so clients may not even be able to authenticated without
> having this information beforehand. Chicken and egg.
>

Right. So 'olcAccess: to dn.base="" by *' read makes sense and should be
added to the default ACL list.

> If the schema is not public, it will break many clients doing anonymous
> browsing of the server. So if the intent of the admin is to allow as
> little as possible anonymous connections, this acls could be changed to
> read "by users read". But I still think some random client might break.
> For example, if it tries to check for the schema before being
> authenticated.

It seems that we'll have to make a choice between security and
backward-compatibility. I'd like to get the opinion of the security team
for this one.

Should a default slapd installation have 'olcAccess: to dn.base="cn=schema" by * read' ?

  subscribe ubuntu-security

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

FWIW, I tried Luma and Apache Directory Studio and both first authenticate and then check for the schema, so their search for the schema is an authenticated one.

description: updated
summary: - [karmic] frontend DB needs ACLs for base="" and cn=schema
+ [karmic] frontend DB needs ACLs for base="" and cn=subschema

discovery in ldapvi does not work without mentioned changes

Mathias Gug (mathiaz) on 2010-01-12
summary: - [karmic] frontend DB needs ACLs for base="" and cn=subschema
+ Frontend DB needs ACLs for base="" and cn=subschema - schema and base dn
+ are not accessible via anonymous connections by default
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.21-0ubuntu4

---------------
openldap (2.4.21-0ubuntu4) lucid; urgency=low

  [ Simon Olofsson ]
  * debian/slapd.postinst:
    - Show a message after successful migration (LP: #538848)

  [ Jorgen Rosink ]
  * debian/slapd.init: add simple status checking with LSB compatible exit
    codes (LP: #562377)
  * debian/slapd.init.ldif:
    - remove admin user in default config database (LP: #556176)
    - in default config, add olcAccess entries giving access to controls
      available and cn=subschema (LP: #427842)

  [ Scott Moser ]
  * debian/slapd.scripts-common: Do not create /nonexistent directory
     for openldap user's home (LP: #556176)
  * debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070)
 -- Scott Moser <email address hidden> Mon, 12 Apr 2010 16:16:47 -0400

Changed in openldap (Ubuntu):
status: Triaged → Fix Released
djsmiley2k (djsmiley2k) wrote :

Still broken for me :(

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers