[Date Prev][Date Next] [Chronological] [Thread] [Top]

Anyone can add entries?

I'm looking at the ACLs in the OpenLDAP Beta release, downloaded a few
days ago. I notice that anyone can add an entry to the slapd db, with no
authentication, regardless of how I set the ACL's.

I execute a command like this on some client:

  % /usr/openldap/bin/ldapadd -h ldapserver -f addme

Where the file "addme" adds an entry with a DN


The slapd log, using debugging level 384 (128+256) says this:

Backend ACL: access to *
        by * none (=n)

slapd starting
daemon: conn=0 fd=7 connection from IP= (IP= accepted.
conn=0 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 7
conn=0 op=0 RESULT tag=97 err=0 text=
=> access_allowed: write access to "ou=Account, dc=andrew, dc=cmu, dc=edu" "children" requested
NoUserMod Operational attribute: children access granted
ber_flush: 14 bytes to sd 7
conn=0 op=1 RESULT tag=105 err=0 text=
conn=0 op=2 UNBIND
conn=-1 fd=7 closed

Apparently, the "children" attributetype given in the core.schema sets a
flag NO-USER-MODIFICATION. Then in access_allowed() in servers/slapd/acl.c, 
around line 118, if WRITE access is requested and that flag is set,
access_allowed()  returns "yes, do it".

	 * no-user-modification operational attributes are ignored
	 * by ACL_WRITE checking as any found here are not provided
	 * by the user
	if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) )
 		Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
			" %s access granted\n",
			attr, 0, 0 );
		return 1;

It seems on one can control who can add an entry to my slapd database.

  -Mark Adamson
   Carnegie Mellon