Need a good way to deal with 'relax' security

Andrew Bartlett abartlet at samba.org
Sun Oct 17 23:03:09 MDT 2010


Matthias,

I've just reverted your patch to remove the network handles for 'RELAX',
as this breaks the OpenLDAP backend (which is the reason it had the
network handlers in the first place).

Firstly, I wish to apologise for doing so without asking you first.  I
had it reverted for some local testing, and intended to push just a
second patch. 

However, we do need to sort out a secure, but sensible way forward. 

The best way I can think to do that is to reinforce the changes tridge
has made to rootDSE, which now walks over the full list of controls.  

I suggest that we should, as well as marking all handled controls as
non-critical, reject here controls based on some policy about their
being available over LDAP (in conjunction with an opaque pointer
indicating that this is an LDAP connection, or 'security level' check on
the connecting user). 

That would remove the encode/decode layer from being a stop-gap security
barrier. 

(We also need to split 'relax' into multiple parts, to relax different
things based on the caller's indication). 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101018/accc5752/attachment.pgp>


More information about the samba-technical mailing list