Anyone can add entries?

[Mark Adamson <adamson@andrew.cmu.edu>]

I'm looking at the ACLs in the OpenLDAP Beta release, downloaded a few
days ago. I notice that anyone can add an entry to the slapd db, with no
authentication, regardless of how I set the ACL's.

I execute a command like this on some client:

  % /usr/openldap/bin/ldapadd -h ldapserver -f addme

Where the file "addme" adds an entry with a DN

  "UID=ADAMSON,OU=ACCOUNT,DC=ANDREW,DC=CMU,DC=EDU"


The slapd log, using debugging level 384 (128+256) says this:


Backend ACL: access to *
        by * none (=n)

slapd starting
daemon: conn=0 fd=7 connection from IP=128.2.122.223:44891 (IP=0.0.0.0:389) accepted.
conn=0 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 7
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 ADD dn="UID=ADAMSON,OU=ACCOUNT,DC=ANDREW,DC=CMU,DC=EDU"
=> access_allowed: write access to "ou=Account, dc=andrew, dc=cmu, dc=edu" "children" requested
NoUserMod Operational attribute: children access granted
ber_flush: 14 bytes to sd 7
conn=0 op=1 RESULT tag=105 err=0 text=
conn=0 op=2 UNBIND
conn=-1 fd=7 closed



Apparently, the "children" attributetype given in the core.schema sets a
flag NO-USER-MODIFICATION. Then in access_allowed() in servers/slapd/acl.c, 
around line 118, if WRITE access is requested and that flag is set,
access_allowed()  returns "yes, do it".

	/*
	 * no-user-modification operational attributes are ignored
	 * by ACL_WRITE checking as any found here are not provided
	 * by the user
	 */
	if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) )
	{
 		Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
			" %s access granted\n",
			attr, 0, 0 );
		return 1;
	}



It seems on one can control who can add an entry to my slapd database.



  -Mark Adamson
   Carnegie Mellon