[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem in acl.c



> ACL's and proxies are fun.  I think one needs to choose:
>         a) remote server enforces access controls
>         b) proxy enforces access controls
> 
> In either case, what the proxy returns to the client must
> be consistent with RFC 2251:
>    Servers which perform caching or shadowing MUST ensure that they do
>    not violate any access control constraints placed on the data by the
>    originating server.

If a violation is "to give away information that should not have been 
accessible to the op dn", well, the proxy is complying with.
The point is: the proxy is hiding information it should let go.

IMHO, a proxy should have "access to * by * read", and the remote server
should take care of ACLs; unfortunately the world is not so simple!
When we use proxies instead of referrals, usually we also want to 
enforce limitations on users, filter operations and so on ...

As you can see from ITS#1137, I found out half of the solution (I hope,
and I'll keep on digging for the other half, the dnattr part!).

Anyway, thanks for the hint; I didn't remeber that point in RFC 2251.

BTW, the "meta" directory is almost done (all ops work, and few trims
are to be done at exception handling). I'm testing it in a mixed
environment: a OpenLDAP 2.0 server with some 25.000 people, a Lotus Notes
with some 45.000 and a w2k AD with local users only, all with very
etherogeneous naming contexts and DIT organization appear as
a unique server!.

A snapshot is coming very soon.

Pierangelo.