Access Control policies (Re: Proxy cache extension for OpenLDAP)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:29 AM 2002-09-09, Pierangelo Masarati wrote:
>Although feasible (and surely interesting) this doesn't ensure
>the same rights of the source are applied by the caching proxy.

Yes.  But this isn't necessarily desired.  Say, for example,
your access policy incorporated something like:
        Partner A is allowed assess to X, Y, Z.
        Partner A will obtain the information from
          slave S1 or S2 using the credentials A.
        Partner A will ensure X is only available to
          employees of class X, Y to class Y,
         and Z may be shared with members of
          Partner A's service.

Now, one could setup S1 and S2 with just X, Y, and Z
and grant A access to it... or one could setup
S1 and S2 so they include more than X, Y, and Z but
only grant A access to X, Y, and Z.

But in either case, Partner A can set up a proxy server
which connects to either S1 or S2, authenticate as A and
get X, Y, and Z.  Parnter A must, of course, must also
establish controls upon this proxy implementing the last
clause of the agreed upon access control policy.

My point here is there are many ways to skin a cat...

Kurt