Skip to content

[1.0.0] Harden the default security posture of the server.#212

Merged
ChadSikorra merged 6 commits into
FreeDSx:mainfrom
ChadSikorra:upgrade/security-pt1
Jul 12, 2026
Merged

[1.0.0] Harden the default security posture of the server.#212
ChadSikorra merged 6 commits into
FreeDSx:mainfrom
ChadSikorra:upgrade/security-pt1

Conversation

@ChadSikorra

@ChadSikorra ChadSikorra commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

This makes several changes to the default ACL rules in place. Currently, a user is expected to set all their own ACLs and it isn't clear what should be set by default to not expose real issues. This fixes that by:

  • Using a secure by default ACL rule list, which restricts password attributes / privileged controls / privileged extended operations.
  • Exposes a "manager" DN, which is a super user defined by config. This is like a recovery account basically.
  • Exposes a "admin" subject that can be either that DN or a group granted extended rights (password reset / priveleged ops).
  • Allows granular read / write distinctions in attribute based ACLs. This was needed to close the gap on who can read / write userPassword in various contexts.

The default secure rules are also composable onto a custom ACL ruleset for convenience (so you don't accidentally mess them up trying to define them). And these defaults are now covered via actual integration tests.

This will have some follow-ups related to the newly added manager user and also some subtle behavior with userPassword outside of the normal password reset method for users.

Currently, a user is expected to set all their own ACLs and it isn't clear what should be set by default to not expose real issues. This fixes that by:

* Using a secure by default ACL rule list, which restricts password attributes, restricts privileged operations, restricts privileged extended operations.
* Exposes a "manager" DN, which is a super user defined by config. This is like a recovery account basically.
* Exposes a "admin" subject that can be either that DN or a group granted extended rights (password reset / priveleged ops).

The default secure rules are also composable onto a custom ACL ruleset for convenience (so you don't accidentally mess them up trying to define them).
…ded to correctly gate userPassword access and gives more fine grained control over attribute access in general.
… to explicitly opt-in to a more relaxed ACL.
…ds a bypass for attribute visibility, which is expected for sync. It's also why sync repl is a priveleged control.
…ers to explicitly construct using "fromEmpty" if they want their own. Document the hazards.
@ChadSikorra ChadSikorra merged commit 1520292 into FreeDSx:main Jul 12, 2026
21 of 23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant