Frontend DB needs ACLs for base="" and cn=subschema - schema and base dn are not accessible via anonymous connections by default

What would be the security implication of opening read access to anyone
(by *)?

IIRC that's the way it is by default with slapd.conf, so we are keeping the same privileges in cn=config.

The base "" was meant to be readable by everyone because it advertises the capabilities of the server. Without it, for example, a client can't know if the server supports START TLS or not. And this discovery has implications in the authentication mechanism the client will decide to use next, so clients may not even be able to authenticated without having this information beforehand. Chicken and egg.

If the schema is not public, it will break many clients doing anonymous browsing of the server. So if the intent of the admin is to allow as little as possible anonymous connections, this acls could be changed to read "by users read". But I still think some random client might break. For example, if it tries to check for the schema before being authenticated.

On Fri, Sep 11, 2009 at 02:20:29PM -0000, Andreas Hasenack wrote:
> IIRC that's the way it is by default with slapd.conf, so we are keeping
> the same privileges in cn=config.
>

Well - IIRC the default slapd.conf was 'access to * by * read' for the
default database:

access to *
        by dn="@ADMIN@" write
        by * read

> The base "" was meant to be readable by everyone because it advertises
> the capabilities of the server. Without it, for example, a client can't
> know if the server supports START TLS or not. And this discovery has
> implications in the authentication mechanism the client will decide to
> use next, so clients may not even be able to authenticated without
> having this information beforehand. Chicken and egg.
>

Right. So 'olcAccess: to dn.base="" by *' read makes sense and should be
added to the default ACL list.

> If the schema is not public, it will break many clients doing anonymous
> browsing of the server. So if the intent of the admin is to allow as
> little as possible anonymous connections, this acls could be changed to
> read "by users read". But I still think some random client might break.
> For example, if it tries to check for the schema before being
> authenticated.

It seems that we'll have to make a choice between security and
backward-compatibility. I'd like to get the opinion of the security team
for this one.

Should a default slapd installation have 'olcAccess: to dn.base="cn=schema" by * read' ?

  subscribe ubuntu-security

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

FWIW, I tried Luma and Apache Directory Studio and both first authenticate and then check for the schema, so their search for the schema is an authenticated one.

discovery in ldapvi does not work without mentioned changes

This bug was fixed in the package openldap - 2.4.21-0ubuntu4

---------------
openldap (2.4.21-0ubuntu4) lucid; urgency=low

  [ Simon Olofsson ]
  * debian/slapd.postinst:
    - Show a message after successful migration (LP: #538848)

  [ Jorgen Rosink ]
  * debian/slapd.init: add simple status checking with LSB compatible exit
    codes (LP: #562377)
  * debian/slapd.init.ldif:
    - remove admin user in default config database (LP: #556176)
    - in default config, add olcAccess entries giving access to controls
      available and cn=subschema (LP: #427842)

  [ Scott Moser ]
  * debian/slapd.scripts-common: Do not create /nonexistent directory
     for openldap user's home (LP: #556176)
  * debian/slapd.postinst: fix cn=config olcAccess migration (LP: #559070)
 -- Scott Moser <email address hidden> Mon, 12 Apr 2010 16:16:47 -0400

Still broken for me :(