[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solved: Re: Possible ACL Issue while try to read Root DSE

To: Axel Birndt <towerlexa@gmx.de>
Subject: Re: Solved: Re: Possible ACL Issue while try to read Root DSE
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 01 Dec 2011 09:43:53 +0100
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1322729039; l=550; s=domk; d=stroeder.de; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References: Subject:CC:To:MIME-Version:From:Date:X-RZG-CLASS-ID:X-RZG-AUTH; bh=pB7Xtg90vIASBf16EAY09scYGto=; b=TRSCgI21/3VXxLpfldqVT7u9Ny8Wly4BkWKJSrBoJguLkRwcILJHbAaNmMMuBgYgF2z pHHePnkack6vTGbH9SYajvxoMO07xyrCY1zk/QpI1/3V9khvxYmKBJUawpCbtsJmXRHtV jQT8h6qwKk9LOYEppn+qo4WUbmxCG9MyryI=
In-reply-to: <4ED69A94.5010106@gmx.de>
References: <4ED3F04D.8060404@gmx.de> <4ED48BC2.6000804@acision.com> <4ED49410.1040903@gmx.de> <4ED4A18C.6060403@acision.com> <4ED4C1D4.5030702@gmx.de> <4ED69A94.5010106@gmx.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20111121 Firefox/8.0.1 SeaMonkey/2.5

Axel Birndt wrote:
> {0}to dn.base="" by * read
> {1}to dn.base="cn=schema,cn=config" by * read
> {2}to dn.base="cn=Subschema" by * read
> 
> But, does the first rule meaning, that everone could read all in this frontend??

dn.base="" limits the ACL to the root DSE which does not contain confidential
information.

> Is this security conform? Or it is better to allow only authenticated Users to
> read this?

Some security auditors recommend to limit access to rootDSE to authenticated
users. Your mileage may vary.

Ciao, Michael.

Prev by Date: Re: Solved: Re: Possible ACL Issue while try to read Root DSE
Next by Date: Re: Solved: Re: Possible ACL Issue while try to read Root DSE
Index(es):
- Chronological
- Thread