[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP_STRONG_REQUIRED unconditionally



At 04:12 AM 2002-10-22, Marian Eichholz wrote:
>Hello!
>
>In the last sub-releases (at least 2.1.5-2.1.8) *all* modifications are
>forced to be done in conjunction with strong authentication.

Actually, the code only requires authentication.

>See servers/slapd/backend.c:913-915:
>
>                        if( op->o_ndn.bv_len == 0 ) {
>                                *text = "modifications require authentication";
>                                return LDAP_STRONG_AUTH_REQUIRED;
>
>IMHO the directory administrator should be granted - as possible in the
>past 

I would have no problem with an "allow anonymous_update" flag
which would disable this check.  Feel free to submit a patch.

>and as *default* (for production environment compatibility) to
>allow for modifications without any authentication.

I would have significant problem with this.  The default should
be safe and consistent with the LDAP technical specifications.
RFC 2829:
   Servers are encouraged to prevent modifications by anonymous users.

>I see no reason to completely disable non-authenticated modification of
>the database. Commenting out the condition easily brought us back into
>production.
>
>Such a default policy would make sense, because the admin may require
>Authentication through the "ssf" structure for security reasons.

I don't understand what you mean by 'authentication through the
"ssf" structure' as it related to client authentication.   The ssf
structure is used to ensure that some level of data integrity
and confidentiality protection is in place.  While this implies
authentication of the server, it does not imply authentication
of the client.

>This could be easily applied to the condition in line 911. If it should
>become default beahaviour, You could make the "require"-clause default
>in the slapd.conf example.
>
>What do You think about this suggestion? It may prevent *much* bad
>experience (and confusion) with directories and toolsets deployed with
>not-too-old openldap releases.

I think we should continue to encourage authentication
before directory updates.  As I noted above, I wouldn't
have a problem with the addition of an "allow anonymous_update"
directive, but I would have a significant problem with
allowing anonymous update by default.

Kurt