[Date Prev][Date Next] [Chronological] [Thread] [Top]

re: back-config

To: Howard Chu <hyc@symas.com>
Subject: re: back-config
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Mon, 21 Feb 2005 10:43:45 -0800
Cc: openldap-devel@OpenLDAP.org
Content-disposition: inline
In-reply-to: <421A2AE5.6080108@symas.com>
References: <4217FD49.6030207@symas.com> <3220.151.29.210.213.1108906322.squirrel@151.29.210.213> <421896AE.5040604@symas.com> <4218F61F.5030505@sys-net.it> <421A169E.4070501@symas.com> <E680638042FBDEF85931B3D9@cadabra-dsl.stanford.edu> <421A2AE5.6080108@symas.com>

--On Monday, February 21, 2005 10:39 AM -0800 Howard Chu <hyc@symas.com> wrote:

For item #2:

I don't have any rootpw defined in any of my systems, as I use
SASL/GSSAPI authentication for all write-related activity.  I assume
for the back-config stuff then, it will be possible to define an ACL
saying what principal can write to that DB?  Or a configuration
directive?


Currently I have no plans to allow any other users to access this DB.
This is after all very sensitive material; once you have the ability to
make runtime configuration changes on the fly you also have the ability
to royally screw things up on the fly. So for now it's rootdn only, and
no possibility of defining ACLs.

Historically, few (no?) X.500 servers have allowed protocol access to
access control rules. It may be inconvenient, but the restriction is
logical from a security standpoint - allowing such access opens you up to
a huge universe of vulnerabilities previously unseen. And as a practical
matter, it makes no sense to be forced to look inside an object to read
the rules that tell you if you're allowed to look inside the object.
There are a number of chicken-and-egg problems there.

But I have no intention of ever defining a root password on any of my systems, as it violates Stanford's security policies. There is a reason its directory service is entirely password free. I suppose if I can use a group as the rootdn, and have the rootdn authenticated via SASL/GSSAPI, that would suffice, since I have an ldap administrator group that is given write access based off the SASL/GSSAPI mappings.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin

References:
- backend overlays
  - From: Howard Chu <hyc@symas.com>
- Re: backend overlays
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: backend overlays
  - From: Howard Chu <hyc@symas.com>
- Re: backend overlays
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: backend overlays
  - From: Howard Chu <hyc@symas.com>
- Re: backend overlays
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- re: back-config
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: backend overlays
Next by Date: re: back-config
Index(es):
- Chronological
- Thread