[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP_STRONG_REQUIRED unconditionally


In the last sub-releases (at least 2.1.5-2.1.8) *all* modifications are
forced to be done in conjunction with strong authentication.

See servers/slapd/backend.c:913-915:

			if( op->o_ndn.bv_len == 0 ) {
				*text = "modifications require authentication";

IMHO the directory administrator should be granted - as possible in the
past - and as *default* (for production environment compatibility) to
allow for modifications without any authentication.

I see no reason to completely disable non-authenticated modification of
the database. Commenting out the condition easily brought us back into

Such a default policy would make sense, because the admin may require
Authentication through the "ssf" structure for security reasons. This
could be easily applied to the condition in line 911. If it should
become default beahaviour, You could make the "require"-clause default
in the slapd.conf example.

What do You think about this suggestion? It may prevent *much* bad
experience (and confusion) with directories and toolsets deployed with
not-too-old openldap releases.

Mit freundlichen Gruessen / Yours sincerely

Marian Eichholz
freenet.de AG          Vorsitzender des Aufsichtsrates: Gerhard Schmid
Deelbögenkamp 4c       Vorstand: Eckhard Spoerr (Vors.), Axel Krieger
22297 Hamburg          Amtsgericht Hamburg, HRB 74048