[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Anyone can add entries?
That be a bug... try this patch (may take 15min to replicate)
http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/acl.c.diff?r1=1.77&r2=1.78
At 03:48 PM 7/20/00 -0400, Mark Adamson wrote:
>I'm looking at the ACLs in the OpenLDAP Beta release, downloaded a few
>days ago. I notice that anyone can add an entry to the slapd db, with no
>authentication, regardless of how I set the ACL's.
>
>I execute a command like this on some client:
>
> % /usr/openldap/bin/ldapadd -h ldapserver -f addme
>
>Where the file "addme" adds an entry with a DN
>
> "UID=ADAMSON,OU=ACCOUNT,DC=ANDREW,DC=CMU,DC=EDU"
>
>
>The slapd log, using debugging level 384 (128+256) says this:
>
>
>Backend ACL: access to *
> by * none (=n)
>
>slapd starting
>daemon: conn=0 fd=7 connection from IP=128.2.122.223:44891 (IP=0.0.0.0:389) accepted.
>conn=0 op=0 BIND dn="" method=128
>ber_flush: 14 bytes to sd 7
>conn=0 op=0 RESULT tag=97 err=0 text=
>conn=0 op=1 ADD dn="UID=ADAMSON,OU=ACCOUNT,DC=ANDREW,DC=CMU,DC=EDU"
>=> access_allowed: write access to "ou=Account, dc=andrew, dc=cmu, dc=edu" "children" requested
>NoUserMod Operational attribute: children access granted
>ber_flush: 14 bytes to sd 7
>conn=0 op=1 RESULT tag=105 err=0 text=
>conn=0 op=2 UNBIND
>conn=-1 fd=7 closed
>
>
>
>Apparently, the "children" attributetype given in the core.schema sets a
>flag NO-USER-MODIFICATION. Then in access_allowed() in servers/slapd/acl.c,
>around line 118, if WRITE access is requested and that flag is set,
>access_allowed() returns "yes, do it".
>
> /*
> * no-user-modification operational attributes are ignored
> * by ACL_WRITE checking as any found here are not provided
> * by the user
> */
> if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) )
> {
> Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
> " %s access granted\n",
> attr, 0, 0 );
> return 1;
> }
>
>
>
>It seems on one can control who can add an entry to my slapd database.
>
>
>
> -Mark Adamson
> Carnegie Mellon