> I need to see the aci's on your server to help more. Can you please > send me (either to the list, or directly to my email) the output of: > > ldapsearch -x -b "your basedn" -D 'cn=Directory Manager' -w -H > ldaps://<your server> '(aci=*)' aci > > That well help me answer the question as to what is causing this > attribute to be readable, William was kind enough to answer me directly. > # /usr/lib/mozldap/ldapsearch -D 'cn=Directory Manager' -j > /etc/.ldap.secret -b 'dc=global' '(aci=*)' aci > version: 1 > dn: dc=global > aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous > access"; allo > w (read, search, compare)userdn = "ldap:///anyone"; See this '!=' in targetattr? This doesn't mean "exclude userPassword from searches" it means "take the set of every attribute that exists in the server, and allow search on ALL of them EXCEPT userPassword.". This aci is a huge security risk because you are disclosing ALL attribute states. It's better to have a super long list of attributes here that you trust to be read. In the next version of Directory Server we fix these default attributes to have sane content. > aci: (targetattr != "nsroledn||aci")(version 3.0; acl "Allow self > entry modifi > cation except for nsroledn and aci attributes"; allow (write)userdn > ="ldap:/ > //self" Again, the same effect here: But this time this allows a user to "self write any attribute that exists EXCEPT these two". Which again has huge security risks, because now they can self edit objectClass, add a container type, child entries .... They can edit the nsadminlimits, or more. So again, this needs to be a "targetattr = ...." list of what you WANT to allow self write to. > aci: (targetattr = "*")(version 3.0; acl "Configuration > Adminstrator"; allow ( > all) userdn = > "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=N > etscapeRoot" > aci: (targetattr ="*")(version 3.0;acl "Configuration Administrators > Group";al > low (all) (groupdn = "ldap:///cn=Configuration Administrators, > ou=Groups, ou > =TopologyManagement, o=NetscapeRoot") > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow > (all)groupdn = "ld > ap:///dc=global" These three are probably okay, because you expect these members to be able to change everything arbitrarily. I would like to note that all those acis where defined by default during installation and initial configuration of 389, I didn't added anything manually. I understand now that is lot better to have an explicit list of allowed attributes than negative blacklist. If I get it correctly this is a huge security problem and I've seen lot of ldap servers configured this way. thanks again for your time, william. abosch _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
