Comment 3 for bug 427842
Revision history for this message
| Mathias Gug (mathiaz) wrote Re: [Bug 427842] Re: [karmic] frontend DB needs ACLs for base="" and cn=schema | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
On Fri, Sep 11, 2009 at 02:20:29PM -0000, Andreas Hasenack wrote:
> IIRC that's the way it is by default with slapd.conf, so we are keeping
> the same privileges in cn=config.
>
Well - IIRC the default slapd.conf was 'access to * by * read' for the
default database:
access to *
by dn="@ADMIN@" write
by * read
> The base "" was meant to be readable by everyone because it advertises
> the capabilities of the server. Without it, for example, a client can't
> know if the server supports START TLS or not. And this discovery has
> implications in the authentication mechanism the client will decide to
> use next, so clients may not even be able to authenticated without
> having this information beforehand. Chicken and egg.
>
Right. So 'olcAccess: to dn.base="" by *' read makes sense and should be
added to the default ACL list.
> If the schema is not public, it will break many clients doing anonymous
> browsing of the server. So if the intent of the admin is to allow as
> little as possible anonymous connections, this acls could be changed to
> read "by users read". But I still think some random client might break.
> For example, if it tries to check for the schema before being
> authenticated.
It seems that we'll have to make a choice between security and
backward-
for this one.
Should a default slapd installation have 'olcAccess: to dn.base="cn=schema" by * read' ?
subscribe ubuntu-security
--
Mathias Gug
Ubuntu Developer http://