[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: saslAuthz{To|From}

To: "'Pierangelo Masarati'" <ando@sys-net.it>
Subject: RE: saslAuthz{To|From}
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sat, 20 Dec 2003 01:57:51 -0800
Cc: <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <3FE413A2.3050706@sys-net.it>

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Pierangelo Masarati

> > Well... specifying the realm is irrelevant
>
> I would agree in principle, but, as appeared in ITS#2871,
> someone might want to use that field to map the incoming
> ID from a regular auth with a mech that uses thr realm,
> and use the same rule for proxyAuthz control.  If we allow
> to specify the realm (but not the mech) we give more freedom
> in writing sasl-regexp rules.  If we find out this freedom
> is too much, or has side effects that adversely impact
> security, then of course we need to limit it.  I'm open
> to any solution that resolves ITS#2871 without affecting
> security.

The realm field we're talking about here is useless. Only the DIGEST-MD5 mech
uses it, and the SASL library only allows it to have a single value. As such,
it is effectively a constant. A user cannot specify any other value for it,
so there is never an occasion to map one realm vs another.

> > This raises another point, which is vaguely related to the
> problem of
> > authorizing use of controls in the first place. I think it
> would be useful to
> > restrict the proxyAuthz control based on the LDAP
> Operation. E.g., I may only
> > want to authorize someone to proxy as me for Add
> operations, and nothing
> > else. This is not quite the same as the ACLs, nor do we
> need to duplicate ACL
> > functionality here. But it's something to consider.
>
> This sounds quite interesting.  A mech to do this could be
> to add the operation to the incoming ID, so that the
> sasl-regexp rule can take care of allowing/denying operations.

Yes, that was kind of my thought as well.

> One thing that s*cks is that the auth ID uses "cn" for every
> part; if we could use different attributes, or at least
> option modifiers, to clearly mark different parts ... e.g.

Yes, I think that's a pain too. How about this:
	uid=<user>,o=<mech>,cn=auth

Remember that mechs like Kerberos/GSSAPI keep their realm in the <user>
field, so we're not losing anything by dropping the xx=<realm> component.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: saslAuthz{To|From}
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- Re: saslAuthz{To|From}
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: saslAuthz{To|From}
Next by Date: Re: saslAuthz{To|From}
Index(es):
- Chronological
- Thread