[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5555) authzTo ACL check for wrong principal

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5555) authzTo ACL check for wrong principal
From: ando@sys-net.it
Date: Tue, 17 Jun 2008 12:36:50 GMT

andrew.findlay@skills-1st.co.uk wrote:
> On Mon, Jun 16, 2008 at 08:06:17PM +0200, Pierangelo Masarati wrote:
> 
>> Ah, OK.  Note that since some point in 2.3, authorization is described 
>> by a specific syntax <http://www.openldap.org/faq/data/cache/1254.html>, 
>> which should probably be advertised a bit more (and moved out from the 
>> experimental OID arc).
> 
> If that is used *everywhere* for authorisation then there could well
> be more doc errors to correct. I am fairly sure I saw one place where
> the docs specifically exclude some of those forms.

Yes, I believe in some cases some of the variants of the syntax are not 
allowed.  This is true, for example, in SASL identity mapping, which 
does not allow the regex, subtree, children, onelevel, group and users 
styles, only the base and uri forms are allowed (provided the latter 
only returns a single match).

> I notice that '*' excludes anonymous in this spec. There is an
> undocumented option to 'allow' that seems relevant: proxy_authz_anon -

Why undocumented?  It is documented (in 2.4, at least; it does not exist 
for 2.3).

> would allowing this cause anon to be included in '*' generally or is
> it not that simple?

'*' implies a non-empty value; to include anonymous, use "dn.regex:.*", 
or "dn.subtree:".

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: Re: (ITS#5555) authzTo ACL check for wrong principal
Next by Date: Re: (ITS#5556) ldapadd/slapadd create objects without RDN
Index(es):
- Chronological
- Thread