Need a good way to deal with 'relax' security
Matthias Dieter Wallnöfer
mdw at samba.org
Sat Oct 23 11:02:46 MDT 2010
Hi Andrew,
I've now registered the provision control in the appropriate places. Now
we should see how we migrate from "relax" to "provision".
Cheers,
Matthias
Andrew Bartlett wrote:
> On Mon, 2010-10-18 at 11:53 +0200, Matthias Dieter Wallnöfer wrote:
>
>> Hi Andrew,
>>
>> no problem for me - I've reopened the bug report. Regarding different
>> controls: I wonder if this won't make everything too complex to achieve.
>> If we would like to achieve this then we should use RELAX for OpenLDAP
>> and some other RELAX for our actual uses in the dsdb code.
>>
> Yes, that's the approach I would like to take. I would start by
> defining a 'provision' control, which is for things that provision
> needs.
>
>
>> It's much better if we start looking at the PERMISSIVE_MODIFY control -
>> probably this can substitute RELAX at least in some cases.
>>
> No, permissive_modify is a little different. It just means that you can
> delete something that is already gone, and add something that already
> exists. Relax is about violating the schema and similar rules (such as
> system-only).
>
> I don't think it will be too complex to split apart relax - we just need
> to change it one at a time, and keep 'make test' passing.
>
> Andrew Bartlett
>
>
More information about the samba-technical
mailing list