[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem in acl.c



Stephan Siano wrote:

> > At a guess, the remote server does whatever it does, regardless of who
> > calls it. That means (a) is always true (unless the remote server has
> > explicitly turned controls off).
>
> Or unless the proxy authenticates as a proxy with some more access.

This is not the case we're considering; for the purpose of selecting
entries and reaults the proxy is simply propagating the auth tokens
it gets from the client.

>
> > The question then is whether you should
> > do (b) as well or not.
> >
> > If you want to handle all of these cases of missing attributes, I
> > suggest that back-ldap should walk through the backend-specific ACLs
> > looking for all referenced attrs and add them to the attribute list
> > before passing on the search.
>
> This would also imply that the proxy has access to all these attributes on
> the remote server

Well, it only implies the proxy wishes it had access to those attrs :)

> (and the proxy can't just play man in the middle for
> authentication purposes and authenticate as the user, that requires access).

Sure it must not.

>
> I would guess it more efficient to grant the proxy read access to anything
> that needs to be proxied and let the proxy get whole objects instead of
> single attributes. (That might have some drawbacks for the operational
> attributes, but I'm not sure which server should deliver this anyway, the
> proxy or the remote server).

Well, this should be done whenever possible, based on the proxy IP.
However I can think of scenarios in which the proxy is "friendish"
and might want to add restrictions based on the requesting user.

>
> This does also mean, that the proxy needs to be secured like the remote
> server, the proxies operator needs to be trusted and you need a way to
> propagate the access controls and authentication information to the proxies.

This is definitely true. It depends on the scenario, so IMHO
this feature should be available and should work correctly,
at the cost of some performance loss ONLY WHEN THE
FEATURE IS USED, of course.

>
> (Doing this manual with ACLs on each single proxy seems a little error prone
> to me). Maybe by the time all this stuff is working the ACIs are production
> ready :-)

Hopefully, this stuff is ready (at test level). Sure ACIs will allow
more flexibility, but remember they possibly are even more error
prone!

Pierangelo

--
Dr. Pierangelo Masarati    mailto:ando@sys-net.it
Developer, SysNet s.n.c.   http://www.sys-net.it