Blocking anonymous LDAP operations and interaction with dsHeuristics

Wed Nov 24 22:37:05 MST 2010

Nadezhda,

I've been working to create a 'half-way-house' solution, that can solve
the issue of anonymous access to our directory, without invoking the
full aclread solution, while we work on the performance of that code.  

I think it's really important for our users that we get a proper access
control solution here, and I hope you agree that it's clearer to have
this all done in one module, and with as little processing having
already occurred as possible.

Therefore, I attach a series of proposed patches, and pushed them to:
http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/block-anon-ldap

The problem is, they fail 'make test', because acl.py expects that
dhHeuristics is honoured live.  This implies that either we must somehow
signal to every LDAP server instance whenever this value changes, or we
must poll it for every operation.  Both seem inefficient.  Is this
really the Windows behaviour?  Do you think we need to match it?  (I'm
happy with a search per connection).

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-dsdb-Remove-mem_ctx-argument-from-dsdb_module_fin.patch
Type: text/x-patch
Size: 1986 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101125/a6d3bee2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-dsdb-Add-block-anonymous-checks-to-the-rootdse-mo.patch
Type: text/x-patch
Size: 5892 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101125/a6d3bee2/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s4-dsdb-Remove-rootDSE-and-anonymous-checks-from-acl.patch
Type: text/x-patch
Size: 2043 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101125/a6d3bee2/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101125/a6d3bee2/attachment.pgp>