[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authorization for operational data


I'm doing some first tests with openldap-2.0beta. My LDAP client is
trying to do anonymous searches from the RootDSE (e.g.
namingContexts) prior to binding as authorized user to get the right
search root (for finding user entries).

In the default configuration I can't read the RootDSE with anonymous
access. How to change that?

Thinking about it a while it's not clear to me how to deal with
security issues regarding operational data stored in the directory
(RootDSE and schema). I understand that the default configuration
trys to protect everything but does that make sense?
It might lead to the situation where you have to pre-configure
things on the client side e.g. search root like for LDAPv2 servers
or even worse some people might configure rootdn/rootpw on their
clients which leads to less security.

Did anybody already define proper security policies regarding
operational attributes? I think this is really a serious hen-and-egg

Another thing: It seems to me that the first rootdn in slapd.conf is
allowed to retrieve the RootDSE. Is that correct? If yes, this looks
inconsistent to me. The RootDSE should have it's own database
section and ACLs. And how about the schema data?

Ciao, Michael.