[Bug 427842] Re: [karmic] frontend DB needs ACLs for base= and cn=schema
** Description changed: The current installation of slapd doesn't allow for searches in the empty base (dn=) and the schema entries. These are needed by several client tools to, among other things: - check what the server schema is (luma, apache directory studio) - discover what the server supports (the -s base -b + search), like authentication mechanisms, extensions, etc This ldapmodify fixes it after the server is running, so it should give you hints on where to add it properly in the package: dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcAccess olcAccess: to dn.base= by * read - olcAccess: to dn.base=cn=schema by * read + olcAccess: to dn.base=cn=subschema by * read + + UPDATE: the base for the schema is actually cn=subschema, and not + cn=schema ** Summary changed: - [karmic] frontend DB needs ACLs for base= and cn=schema + [karmic] frontend DB needs ACLs for base= and cn=subschema -- [karmic] frontend DB needs ACLs for base= and cn=subschema https://bugs.launchpad.net/bugs/427842 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 427842] Re: [karmic] frontend DB needs ACLs for base= and cn=schema
What would be the security implication of opening read access to anyone (by *)? ** Changed in: openldap (Ubuntu) Importance: Undecided = Wishlist ** Changed in: openldap (Ubuntu) Status: New = Triaged -- [karmic] frontend DB needs ACLs for base= and cn=schema https://bugs.launchpad.net/bugs/427842 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 427842] Re: [karmic] frontend DB needs ACLs for base= and cn=schema
IIRC that's the way it is by default with slapd.conf, so we are keeping the same privileges in cn=config. The base was meant to be readable by everyone because it advertises the capabilities of the server. Without it, for example, a client can't know if the server supports START TLS or not. And this discovery has implications in the authentication mechanism the client will decide to use next, so clients may not even be able to authenticated without having this information beforehand. Chicken and egg. If the schema is not public, it will break many clients doing anonymous browsing of the server. So if the intent of the admin is to allow as little as possible anonymous connections, this acls could be changed to read by users read. But I still think some random client might break. For example, if it tries to check for the schema before being authenticated. -- [karmic] frontend DB needs ACLs for base= and cn=schema https://bugs.launchpad.net/bugs/427842 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 427842] Re: [karmic] frontend DB needs ACLs for base= and cn=schema
On Fri, Sep 11, 2009 at 02:20:29PM -, Andreas Hasenack wrote: IIRC that's the way it is by default with slapd.conf, so we are keeping the same privileges in cn=config. Well - IIRC the default slapd.conf was 'access to * by * read' for the default database: access to * by dn=@ADMIN@ write by * read The base was meant to be readable by everyone because it advertises the capabilities of the server. Without it, for example, a client can't know if the server supports START TLS or not. And this discovery has implications in the authentication mechanism the client will decide to use next, so clients may not even be able to authenticated without having this information beforehand. Chicken and egg. Right. So 'olcAccess: to dn.base= by *' read makes sense and should be added to the default ACL list. If the schema is not public, it will break many clients doing anonymous browsing of the server. So if the intent of the admin is to allow as little as possible anonymous connections, this acls could be changed to read by users read. But I still think some random client might break. For example, if it tries to check for the schema before being authenticated. It seems that we'll have to make a choice between security and backward-compatibility. I'd like to get the opinion of the security team for this one. Should a default slapd installation have 'olcAccess: to dn.base=cn=schema by * read' ? subscribe ubuntu-security -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- [karmic] frontend DB needs ACLs for base= and cn=schema https://bugs.launchpad.net/bugs/427842 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 427842] Re: [karmic] frontend DB needs ACLs for base= and cn=schema
FWIW, I tried Luma and Apache Directory Studio and both first authenticate and then check for the schema, so their search for the schema is an authenticated one. -- [karmic] frontend DB needs ACLs for base= and cn=schema https://bugs.launchpad.net/bugs/427842 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs