[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ang. RE: Bdb defaults - WAS: problem importing entries.



> (yes, on multiple boxes set up by other people from seperate companies,
> who apparently knew what they were doing, there are *no* ACLs in effect,
> and since these boxes were running 2.0.x, all passwords and user
> information are accessible. If the provided ACLs were even used, the
> position would be no better!)

well, I guess that, as soon as the rootDSE is exposed, I can become rootdn
on at least 50% of the installations by simple binding
as -D "cn=Manager,$namingCOntext" -w secret !

> Nice that everyone here is happy to criticise people trying to do
> something to make openldap more accessible (and secure and useable) to
> non-gurus (when most other packages available provide absolutely no
> assistance and end up with users who haven't spent the time setting up
> vulnerable installations).

please to get me (us?) wrong.  I really appreciate people who package
stuff; I happen to package something myself some time, and it's terrible
to realize how many thing one has to consider to make the package usable
at all.  I think we got here from a totally different perspective, and,
from everyone's point of view, everyone is right and the others are wrong.
 Reasonable defaults apparently belong to packagers, and feature
implementation belongs to developers.  However, what's a reasonable
default is not easy to determine; and if the reasonable default is flawed,
then it's not even reasonable for those it was designed for.  So take all
of this as a constructive criticism, and keep on criticizing your
defaults.  We'll keep on criticizing our documentation and our
configuration options.  Trust me, I do it sometimes; but the process is
more froma trial and error point of view because this work is done in the
spare time, so looking ahead is not so common.  As such, features are
implemented, improved, rewritten and finally documented; then people
complain about the docs or the feature or both, and things have to be
improved.  It's a long process...

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497