[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: schema access must not be crontrolled by ACL (ITS#2706)

To: openldap-its@OpenLDAP.org
Subject: Re: schema access must not be crontrolled by ACL (ITS#2706)
From: Kurt@OpenLDAP.org
Date: Tue, 9 Sep 2003 15:06:25 GMT

At 07:13 AM 9/9/2003, suomi@ayni.com wrote:
>Full_Name: suomi hasler
>Version: openldap-2.1.22-1
>OS: Linux  2.4.19-4GB
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (195.141.97.126)
>
>
>i am intending to use LDAP for nss purpose. to this aim, i install as
>restrictive ACLs as possible. But when i installed the following ACL:
>
>access to *
>        by dn="cn=suomi,ou=pam-ldap,dc=ayni,dc=com"     write
>        by dn="cn=manager,dc=ayni,dc=com"     write
>        by self write
>        by anonymous none
>
>i could not even read such basic things as the namingcontext and the schema any
>more.

Good.


>rfc 2251 says (3.2.2)
>
>   Servers which follow X.500(93) models SHOULD implement subschema
>   using the X.500 subschema mechanisms, and so these subschemas are not
>   ordinary entries.  LDAP clients SHOULD NOT assume that servers
>   implement any of the other aspects of X.500 subschema.  A server
>   which masters entries and permits clients to modify these entries
>   MUST implement and provide access to these subschema entries, so that
>   its clients may discover the attributes and object classes which are
>   permitted to be present. It is strongly recommended that all other
>   servers implement this as well.


The sentence is misleading (LDAPbis should clarify this).
Servers are free to subject any and all information they provide to
access control.

Prev by Date: Index on attribute (ITS#2705)
Next by Date: Re: Tiny bugfix patch for ldappasswd (ITS#2696)
Index(es):
- Chronological
- Thread