Slapd default ACLs.

To: debian-security@lists.debian.org
Subject: Slapd default ACLs.
From: Maurizio Cimaschi <mauri@unixrulez.org>
Date: Tue, 25 Sep 2012 14:13:44 +0200
Message-id: <[🔎] 50619FF8.7080305@unixrulez.org>

Hi,

the debian package for slapd ships with ACLs which basically give toevery users (DNs in LDAP parlance) write rights on its own data. Theproblem with this approach is that LDAP servers are used mostly as arepository of policies and permissions about users, and users aren'texpected to be able to set their own policy and persmissions(administrators are).

So, a more sensible solution is ship the server with a read onlydefault. An exception may be considered for the userPassword attribute,but this should be evaluated by taking in consideration how the LDAPserver relates with other application and how it is used; in fact, it isa decision to be made by local administrators.


    What do you think ?

        Regards, Maurizio.

Reply to:

Prev by Date: Re: [SECURITY] [DSA 2550-1] asterisk security update
Next by Date: Victor Manuel Sanz Galceran está ausente de la oficina.
Previous by thread: Re: CVE-2011-1521 and CVE-2011-3389 - fixed packet
Next by thread: Victor Manuel Sanz Galceran está ausente de la oficina.
Index(es):
- Date
- Thread