Re: cn=config

[Dave Horsfall <daveh@ci.com.au>]

On Mon, 20 Feb 2006, Jon Roberts wrote:

> > (a) The ability to modify ACL's on the fly, without restarting the server
> 
> This is the same reason I'm not quite so enthusiastic about cn=config, 
> ie. it could allow a non-root entity to remotely compromise my security, 
> configuration, or data. I'm not saying a system couldn't be configured 
> to safeguard against this, but there are no guarantees with most slapd 
> defaults. At the very least, I hope cn=config continues to be optional. 
> Ditto for acis.

Remote compromises are always a possibility; this just provides one more 
vector, and so should be equally well-guarded.

> > (d) The ability to add new backends and overlays on the fly
> 
> I admit straight up I have no idea how valuable this would be. I can't 
> see myself wanting it ever.

That would be a plus for us, whenever we buy out another company (and yes, 
I'll see about having us contribute back somehow, given that OpenLDAP is 
now essential to our operations).

> > (b) Deleting schema elements
> 
> That would likely be never, I'd think.

I've done it a few times; fortunately the elements weren't actually used 
(hence the reason for their deletion).

-- 
Dave Horsfall  DTM  VK2KFU  daveh@ci.com.au  Ph: +61 2 9552-5509 (d) -5500 (sw)
Corinthian Engrng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU