[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5555) authzTo ACL check for wrong principal

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5555) authzTo ACL check for wrong principal
From: andrew.findlay@skills-1st.co.uk
Date: Mon, 16 Jun 2008 12:33:35 GMT

On Sat, Jun 14, 2008 at 03:59:37PM +0200, Pierangelo Masarati wrote:

> AFAIK, access to that attribute is checked using AUTH rather than read. 
>  The idea is that ACLs should allow to fine-grain control who is 
> allowed to exploit the authorization feature while giving up as little 
> as possible (e.g. AUTH instead of READ).

You are right: if I just grant 'auth' access to 'authzTo' the proxy
authorisation succeeds. The philisophy makes sense so I will try to
come up with a suitable patch to the Admin Guide describing how to use
it. At the moment the only note about this is in the ACL Examples
(7.2.5 at present) which says that authentication/authorization
is always done anonymously - obviously not entirely true.

I am still a bit worried about the logic of the access test, as in my
enviroment I just had to grant the principal auth access to their own 
authzTo attribute to make proxy authorization work: the principal does
not even have 'disclose' access to their own entry or the parent
entry. Normally I would expect to need some level of access to
everything in the DN before I could make use of an attribute in an entry.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

Prev by Date: Re: (ITS#5554) slapd.conf man page missing TLSCipherSuite
Next by Date: (ITS#5563) Seg. fault if URL used in ServerID without any listener
Index(es):
- Chronological
- Thread