<snip>
>
> I would like to note that all those acis where defined by default
> during installation and initial configuration of 389, I didn't added
> anything manually.
> I understand now that is lot better to have an explicit list of
> allowed attributes than negative blacklist.
> If I get it correctly this is a huge security problem and I've seen
> lot of ldap servers configured this way.
Yes - you will notice that the 1.4.x servers completely change the
default ACI's to no longer have this vulnerability :)
I rewrote our 1.4.x ACI's to be a guide on secure ACI practices, that
also have useful features like delegation of permissions and more.
In general I am personally very excited for 1.4.x because it comes with
many changes that will improve the administrator experience and safety
by default,
Thanks!
>
> thanks again for your time, william.
>
>
> abosch
>
>
>
>
>
>
--
Thanks,
William Brown
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
No comments:
Post a Comment