Need a good way to deal with 'relax' security
Andrew Bartlett
abartlet at samba.org
Mon Oct 18 04:26:37 MDT 2010
On Mon, 2010-10-18 at 11:53 +0200, Matthias Dieter Wallnöfer wrote:
> Hi Andrew,
>
> no problem for me - I've reopened the bug report. Regarding different
> controls: I wonder if this won't make everything too complex to achieve.
> If we would like to achieve this then we should use RELAX for OpenLDAP
> and some other RELAX for our actual uses in the dsdb code.
Yes, that's the approach I would like to take. I would start by
defining a 'provision' control, which is for things that provision
needs.
> It's much better if we start looking at the PERMISSIVE_MODIFY control -
> probably this can substitute RELAX at least in some cases.
No, permissive_modify is a little different. It just means that you can
delete something that is already gone, and add something that already
exists. Relax is about violating the schema and similar rules (such as
system-only).
I don't think it will be too complex to split apart relax - we just need
to change it one at a time, and keep 'make test' passing.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101018/e6da7024/attachment.pgp>
More information about the samba-technical
mailing list