Blocking anonymous LDAP operations and interaction with dsHeuristics

Andrew Bartlett abartlet at
Thu Nov 25 03:06:18 MST 2010

On Thu, 2010-11-25 at 11:40 +0200, Nadezhda Ivanova wrote:
> Hi Andrew,
> I don't think I like this patch very much - I deliberately moved this code
> from rootDSE

What of this code was in the rootDSE to start with?  I've never seen any
general prohibition on anonymous operations before. 

> , because Windows behavior is that if you set the dsHeuristics
> flag and give some access to Anonymous to some objects, you should be able
> to see them with Anonymous connection. 

How is that a problem with my patch?.  Aside from the fact that it reads
dsHeuristics only at connection time, this patch should do the same. 

> If we juts cut ia all off at rootDSE
> this is not possible. We may of course choose not to support this
> behavior...  What you could do is add the failing tests to knownfail,
> actually I think they are already there as this module is disabled by
> default. Instead of removing the code, could you make it dependent on
> acl:search parameter in smb.conf, so that it is used if acl_read is not
> enabled? It will make it easier for me to continue my work on the acl_read,
> and revert your patch when the module is good enough.

Should we really be mixing the general prohibition on anonymous
operations with the concept of ACLs on individual records?

Similarly, what other part of the code prohibits all other anonymous
operations?  We really should do that general prohibition in one, clear
spot (kludge_acl was previously that clear spot, but this is now much
further down the stack than I would prefer). 

Does this make my patch and approach any clearer?


Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list