[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5555) authzTo ACL check for wrong principal
andrew.findlay@skills-1st.co.uk wrote:
> When using "authz-policy to" I find that the entity that is trying to do an
> operation on behalf of another entity needs read access to its own authzTo
> attribute.
> This seems wrong: authzTo is defining what the user may do: I do not really want
> them to be able to see it. When doing a proxy authz I think ACLs for this
> attribute should not be checked at all as the access is effectively being done
> by the rootdn.
AFAIK, access to that attribute is checked using AUTH rather than read.
The idea is that ACLs should allow to fine-grain control who is
allowed to exploit the authorization feature while giving up as little
as possible (e.g. AUTH instead of READ).
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: ando@sys-net.it
-----------------------------------