Bug 712494
Summary: | set cn=config database ACLs for user root in default configuration | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Vcelak <jvcelak> | |
Component: | openldap | Assignee: | Jan Vcelak <jvcelak> | |
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 6.1 | CC: | jplans, jvcelak, nc, omoris, rvokal, tsmetana | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | openldap-2.4.23-16.el6 | Doc Type: | Bug Fix | |
Doc Text: |
- default installation of openldap-servers
- the configuration database (cn=config) can be modified only using text editor and when slapd is not running - this is uncomfortable, can lead to problems and therefore it is not generally recommended by upstream
- ldapi:/// interface was enabled by default and ACLs were set for cn=config database for 'root' user
- after default installation, the root user can modify the server configuration without stopping the server and using OpenLDAP client tools, when authenticated using ldapi:/// and EXTERNAL SASL mechanism
|
Story Points: | --- | |
Clone Of: | ||||
: | 712495 (view as bug list) | Environment: | ||
Last Closed: | 2011-12-06 12:12:43 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Jan Vcelak
2011-06-10 19:06:48 UTC
Resolved in openldap-2.4.23-16.el6 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: - default installation of openldap-servers - the configuration database (cn=config) can be modified only using text editor and when slapd is not running - this is uncomfortable, can lead to problems and therefore it is not generally recommended by upstream - ldapi:/// interface was enabled by default and ACLs were set for cn=config database for 'root' user - after default installation, the root user can modify the server configuration without stopping the server and using OpenLDAP client tools, when authenticated using ldapi:/// and EXTERNAL SASL mechanism Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1514.html |