[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5555) authzTo ACL check for wrong principal
andrew.findlay@skills-1st.co.uk wrote:
> On Mon, Jun 16, 2008 at 08:06:17PM +0200, Pierangelo Masarati wrote:
>
>> Ah, OK. Note that since some point in 2.3, authorization is described
>> by a specific syntax <http://www.openldap.org/faq/data/cache/1254.html>,
>> which should probably be advertised a bit more (and moved out from the
>> experimental OID arc).
>
> If that is used *everywhere* for authorisation then there could well
> be more doc errors to correct. I am fairly sure I saw one place where
> the docs specifically exclude some of those forms.
Yes, I believe in some cases some of the variants of the syntax are not
allowed. This is true, for example, in SASL identity mapping, which
does not allow the regex, subtree, children, onelevel, group and users
styles, only the base and uri forms are allowed (provided the latter
only returns a single match).
> I notice that '*' excludes anonymous in this spec. There is an
> undocumented option to 'allow' that seems relevant: proxy_authz_anon -
Why undocumented? It is documented (in 2.4, at least; it does not exist
for 2.3).
> would allowing this cause anon to be included in '*' generally or is
> it not that simple?
'*' implies a non-empty value; to include anonymous, use "dn.regex:.*",
or "dn.subtree:".
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: ando@sys-net.it
-----------------------------------