<snip>
I would like to note that all those acis where defined by default during installation and initial configuration of 389, I didn't added anything manually. I understand now that is lot better to have an explicit list of allowed attributes than negative blacklist. If I get it correctly this is a huge security problem and I've seen lot of ldap servers configured this way.
Yes - you will notice that the 1.4.x servers completely change the default ACI's to no longer have this vulnerability :)
I rewrote our 1.4.x ACI's to be a guide on secure ACI practices, that also have useful features like delegation of permissions and more.
In general I am personally very excited for 1.4.x because it comes with many changes that will improve the administrator experience and safety by default,
Thanks!
thanks again for your time, william.
abosch