exposing RELAX control on LDAP

Matthieu Patou mat at samba.org
Sat Jun 5 09:32:02 MDT 2010

On 05/06/2010 16:50, Andrew Bartlett wrote:
> On Sat, 2010-06-05 at 13:30 +0400, Matthieu Patou wrote:
>> Hello endi,
>> I just noticed today that you made the relax control exposed on LDAP,
>> I'm a bit worried about this as we tend to use this control maybe too
>> often and I have the impression that it can be a security risk.
>> My first question to simo or andrew b. is  am I over reacting ? Is there
>> possibly a threat ?
> Yes, it's a threat, and while it only allows users who are otherwise
> able to write to mess up the DB, that could be an issue.
Yep ! We hardly know what a 'oh he must have already write access to do 
so' problem can lead to.
>> After comes the following one:
>> I suppose that if you did so it's for a good reason, so can you explain
>> them, can we reduce the range of users that can use it (with ACLs for
>> instance).
> Yes, the code that enabled it is currently needed because of the way we
> process things with the LDAP backend, but we should not permit it to be
> used over LDAP, and it should be restricted to System or the provision.
Great, I opened a bug request to track this.
I still don't understand why even with the ldap backend we need to 
expose this from the outside.
The following request: ldbmodify -H /usr/local/samba/private/sam.ldb 
--controls "relax:0"  foo.ldif is supposed to work in the correct way 
with ldap backend as well no ?
> More of a worry is the 'as system' control, which should be eliminated
> (we need to redesign the code that uses that), and which we need to
> ensure is not exposed over LDAP.
What is the name or the OID of this control ?


Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list