[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Anyone can add entries?
I'm looking at the ACLs in the OpenLDAP Beta release, downloaded a few
days ago. I notice that anyone can add an entry to the slapd db, with no
authentication, regardless of how I set the ACL's.
I execute a command like this on some client:
% /usr/openldap/bin/ldapadd -h ldapserver -f addme
Where the file "addme" adds an entry with a DN
"UID=ADAMSON,OU=ACCOUNT,DC=ANDREW,DC=CMU,DC=EDU"
The slapd log, using debugging level 384 (128+256) says this:
Backend ACL: access to *
by * none (=n)
slapd starting
daemon: conn=0 fd=7 connection from IP=128.2.122.223:44891 (IP=0.0.0.0:389) accepted.
conn=0 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 7
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 ADD dn="UID=ADAMSON,OU=ACCOUNT,DC=ANDREW,DC=CMU,DC=EDU"
=> access_allowed: write access to "ou=Account, dc=andrew, dc=cmu, dc=edu" "children" requested
NoUserMod Operational attribute: children access granted
ber_flush: 14 bytes to sd 7
conn=0 op=1 RESULT tag=105 err=0 text=
conn=0 op=2 UNBIND
conn=-1 fd=7 closed
Apparently, the "children" attributetype given in the core.schema sets a
flag NO-USER-MODIFICATION. Then in access_allowed() in servers/slapd/acl.c,
around line 118, if WRITE access is requested and that flag is set,
access_allowed() returns "yes, do it".
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
* by the user
*/
if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) )
{
Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
" %s access granted\n",
attr, 0, 0 );
return 1;
}
It seems on one can control who can add an entry to my slapd database.
-Mark Adamson
Carnegie Mellon