[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4497) don't proxyAuthz the bound identity?

To: openldap-its@OpenLDAP.org
Subject: (ITS#4497) don't proxyAuthz the bound identity?
From: ando@sys-net.it
Date: Fri, 21 Apr 2006 19:05:18 GMT

Full_Name: Pierangelo Masarati
Version: HEAD,re23,re24
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (81.72.89.40)
Submitted by: ando


When idassert is appropriate, back-ldap currently idasserts even if the
proxyAuthz identity is the same identity that is already bound.  This is
redundant, and, moreover, requires proxyAuthz privileges on those DSAs that
implement it (OpenLDAP doesn't care, as one can always authz as self).

I suggest (1) to avoid idasserting self in those cases; (2) if this behavior is
to any extent acceptable or even desirable, I suggest it's made optional.

A patch for (1) is coming.

p.

Prev by Date: Re: (ITS#4435) Error installing OpenLDAP during make
Next by Date: Re: patch: SLP attributes support (ITS#4414)
Index(es):
- Chronological
- Thread