[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5555) authzTo ACL check for wrong principal

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5555) authzTo ACL check for wrong principal
From: ando@sys-net.it
Date: Sat, 14 Jun 2008 13:58:41 GMT

andrew.findlay@skills-1st.co.uk wrote:

> When using "authz-policy to" I find that the entity that is trying to do an
> operation on behalf of another entity needs read access to its own authzTo
> attribute.
> This seems wrong: authzTo is defining what the user may do: I do not really want
> them to be able to see it. When doing a proxy authz I think ACLs for this
> attribute should not be checked at all as the access is effectively being done
> by the rootdn.

AFAIK, access to that attribute is checked using AUTH rather than read. 
  The idea is that ACLs should allow to fine-grain control who is 
allowed to exploit the authorization feature while giving up as little 
as possible (e.g. AUTH instead of READ).

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: (ITS#5559) slapo-pcache sizelimit caching not documented
Next by Date: Re: (ITS#5556) ldapadd/slapadd create objects without RDN
Index(es):
- Chronological
- Thread