[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4962) inconsistent Bind(rootdn) behavior

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4962) inconsistent Bind(rootdn) behavior
From: h.b.furuseth@usit.uio.no
Date: Thu, 16 Aug 2007 18:07:06 GMT

ando@sys-net.it writes:
> The "right" solution would be to protect the identity of the rootdn
> with ACLs, so that regular users cannot add/modify it.

Good idea, but that too depends on your policy.  If you you have a cron
job or whatever which updates entries, including that of the rootdn, you
may not want it to have full rootdn access.  If nothing else, it's a bit
like logging in as root instead of as a regular user - if you screw up
you have the opportunity to create much more havoc.

I wonder if we need a rootpolicy config parameter to tune the details of
all this.  Then we can set a fairly paranoid default, and people who
need it to work differently can override.

(Another thing I remember someone asked about was to only accept rootdn
login from some specific IP address.  But now that I think of it, normal
ACLs could ensure that if he had the password in an entry instead of in
rootpw.)

-- 
Hallvard

Prev by Date: Re: (ITS#5092) page size value of 1.2.840.113556.1.4.319 control
Next by Date: (ITS#5094) shutting down multiple ppolicy instances yields double-free
Index(es):
- Chronological
- Thread