[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5555) authzTo ACL check for wrong principal

To: openldap-its@OpenLDAP.org
Subject: (ITS#5555) authzTo ACL check for wrong principal
From: andrew.findlay@skills-1st.co.uk
Date: Fri, 13 Jun 2008 16:29:52 GMT

Full_Name: Andrew Findlay
Version: 2.4.10
OS: Linux: SuSE 10.2
URL: 
Submission from: (NULL) (88.97.25.132)


When using "authz-policy to" I find that the entity that is trying to do an
operation on behalf of another entity needs read access to its own authzTo
attribute.
This seems wrong: authzTo is defining what the user may do: I do not really want
them to be able to see it. When doing a proxy authz I think ACLs for this
attribute should not be checked at all as the access is effectively being done
by the rootdn.

Prev by Date: Re: (ITS#5554) slapd.conf man page missing TLSCipherSuite
Next by Date: (ITS#5556) ldapadd/slapadd create objects without RDN
Index(es):
- Chronological
- Thread