[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5555) authzTo ACL check for wrong principal

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5555) authzTo ACL check for wrong principal
From: andrew.findlay@skills-1st.co.uk
Date: Tue, 17 Jun 2008 08:22:17 GMT

On Mon, Jun 16, 2008 at 08:06:17PM +0200, Pierangelo Masarati wrote:

> Ah, OK.  Note that since some point in 2.3, authorization is described 
> by a specific syntax <http://www.openldap.org/faq/data/cache/1254.html>, 
> which should probably be advertised a bit more (and moved out from the 
> experimental OID arc).

If that is used *everywhere* for authorisation then there could well
be more doc errors to correct. I am fairly sure I saw one place where
the docs specifically exclude some of those forms.

I notice that '*' excludes anonymous in this spec. There is an
undocumented option to 'allow' that seems relevant: proxy_authz_anon -
would allowing this cause anon to be included in '*' generally or is
it not that simple?

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

Prev by Date: Re: (ITS#5555) authzTo ACL check for wrong principal
Next by Date: Re: (ITS#5555) authzTo ACL check for wrong principal
Index(es):
- Chronological
- Thread