Need a good way to deal with 'relax' security

Andrew Bartlett abartlet at
Mon Oct 18 04:26:37 MDT 2010

On Mon, 2010-10-18 at 11:53 +0200, Matthias Dieter Wallnöfer wrote:
> Hi Andrew,
> no problem for me - I've reopened the bug report. Regarding different 
> controls: I wonder if this won't make everything too complex to achieve. 
> If we would like to achieve this then we should use RELAX for OpenLDAP 
> and some other RELAX for our actual uses in the dsdb code.

Yes, that's the approach I would like to take.  I would start by
defining a 'provision' control, which is for things that provision

> It's much better if we start looking at the PERMISSIVE_MODIFY control - 
> probably this can substitute RELAX at least in some cases.

No, permissive_modify is a little different.  It just means that you can
delete something that is already gone, and add something that already
exists.  Relax is about violating the schema and similar rules (such as

I don't think it will be too complex to split apart relax - we just need
to change it one at a time, and keep 'make test' passing. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list