[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP enhancements

To: Mark Valence <kurash@sassafras.com>
Subject: Re: OpenLDAP enhancements
From: Ben Collins <bcollins@debian.org>
Date: Mon, 9 Aug 1999 16:45:54 -0500
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <v0421010cb3d4d0bea51a@[192.168.0.8]>; from Mark Valence on Mon, Aug 09, 1999 at 04:36:12PM -0400
References: <Pine.GSO.4.10.9908100420130.23927-100000@avarice.nepean.uws.edu.au> <v0421010cb3d4d0bea51a@[192.168.0.8]>

On Mon, Aug 09, 1999 at 04:36:12PM -0400, Mark Valence wrote:
> A related change that I'd like to make is the addition of "secure" 
> permissions.  For example, I'd like to be able to do something like 
> this:
> 
>      access to attr=privateAttr by * secureread
> 
> What secureread (and securewrite, etc.) means is that the connection 
> over which the reading (writing) is happening is secure (via SASL/TLS 
> SSL).  What I'm looking for is on-the-wire security enforced for 
> certain attributes.
> 
> Doing secureread/securewrite seems really easy, from my current 
> understanding of the source.  Also, adding dynamic configuration of 
> ACLs though LDAP seems pretty straightforward.  I want to do it 
> right, though, and comments like David's are right on the mark (as 
> are others that I have received in private e-mail).

Actually you can already do this in the -devel branch I believe by using
the url based acls and setting it so it's only accesible via the secure
url (the ssl port).

Not sure how this will work when SASL support is complete (setting acls
based on the SASL method chosen?).

Ben

Follow-Ups:
- TransportSecurity/AuthenticationMech based ACLs (was: OpenLDAP enhancements)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: OpenLDAP enhancements
  - From: David J N Begley <david@avarice.nepean.uws.edu.au>
- Re: OpenLDAP enhancements
  - From: Mark Valence <kurash@sassafras.com>

Prev by Date: Re: OpenLDAP enhancements
Next by Date: Re: OpenLDAP enhancements
Index(es):
- Chronological
- Thread