Need a good way to deal with 'relax' security

Matthias Dieter Wallnöfer mdw at
Sat Oct 23 11:02:46 MDT 2010

Hi Andrew,

I've now registered the provision control in the appropriate places. Now 
we should see how we migrate from "relax" to "provision".


Andrew Bartlett wrote:
> On Mon, 2010-10-18 at 11:53 +0200, Matthias Dieter Wallnöfer wrote:
>> Hi Andrew,
>> no problem for me - I've reopened the bug report. Regarding different
>> controls: I wonder if this won't make everything too complex to achieve.
>> If we would like to achieve this then we should use RELAX for OpenLDAP
>> and some other RELAX for our actual uses in the dsdb code.
> Yes, that's the approach I would like to take.  I would start by
> defining a 'provision' control, which is for things that provision
> needs.
>> It's much better if we start looking at the PERMISSIVE_MODIFY control -
>> probably this can substitute RELAX at least in some cases.
> No, permissive_modify is a little different.  It just means that you can
> delete something that is already gone, and add something that already
> exists.  Relax is about violating the schema and similar rules (such as
> system-only).
> I don't think it will be too complex to split apart relax - we just need
> to change it one at a time, and keep 'make test' passing.
> Andrew Bartlett

More information about the samba-technical mailing list