[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP_STRONG_REQUIRED unconditionally

To: openldap-devel@OpenLDAP.org
Subject: LDAP_STRONG_REQUIRED unconditionally
From: Marian Eichholz <marian.eichholz@freenet-ag.de>
Date: 22 Oct 2002 13:12:42 +0200

Hello!

In the last sub-releases (at least 2.1.5-2.1.8) *all* modifications are
forced to be done in conjunction with strong authentication.

See servers/slapd/backend.c:913-915:

			if( op->o_ndn.bv_len == 0 ) {
				*text = "modifications require authentication";
				return LDAP_STRONG_AUTH_REQUIRED;

IMHO the directory administrator should be granted - as possible in the
past - and as *default* (for production environment compatibility) to
allow for modifications without any authentication.

I see no reason to completely disable non-authenticated modification of
the database. Commenting out the condition easily brought us back into
production.

Such a default policy would make sense, because the admin may require
Authentication through the "ssf" structure for security reasons. This
could be easily applied to the condition in line 911. If it should
become default beahaviour, You could make the "require"-clause default
in the slapd.conf example.

What do You think about this suggestion? It may prevent *much* bad
experience (and confusion) with directories and toolsets deployed with
not-too-old openldap releases.

-- 
Mit freundlichen Gruessen / Yours sincerely

Marian Eichholz
Postmaster
freenet.de AG          Vorsitzender des Aufsichtsrates: Gerhard Schmid
Deelbögenkamp 4c       Vorstand: Eckhard Spoerr (Vors.), Axel Krieger
22297 Hamburg          Amtsgericht Hamburg, HRB 74048

Follow-Ups:
- Re: LDAP_STRONG_REQUIRED unconditionally
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ExtensibleObject attribute and BDB backend (2.1.4)
Next by Date: Re: LDAP_STRONG_REQUIRED unconditionally
Index(es):
- Chronological
- Thread