[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3480) back-sql and ACL issues

To: openldap-devel@OpenLDAP.org
Subject: Re: (ITS#3480) back-sql and ACL issues
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 13 Jan 2005 15:37:56 +0100 (CET)
Importance: Normal
In-reply-to: <200501112315.j0BNFFW1080234@boole.openldap.org>
References: <200501112315.j0BNFFW1080234@boole.openldap.org>
User-agent: SquirrelMail/1.4.3a-1

[diverted to -devel]

> In most cases, ACL checking features can only be partially exploited
> within
> back-sql, because only the essential portions of the entries are computed
> for
> each operation before calling access_allowed().  As a consequence, access
> clauses like "dnattr" and so cannot be used if the appropriate attribute
> values
> have not been collected.  A side effect is that the requested attribute
> types/values affect access to the same entry.

I'm not too much keen to forcing back-sql to always generate the entire
entry, at least for searches.

I'm considering the opportunity to do so for updates, for security
concerns, and to provide either:

1) a configuration statement that forces the full generation of the entire
entry also for searches, to be used when one decides to implement access
control based on the target's content; or

2) a configuration statement that allows to list the attributes that
should always be requested in addition to those specific for an operation,
so administrators can provide hints to help access control.

Implementing both could be a further option.

Comments?

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Prev by Date: Re: Success Story: Perl Backend
Next by Date: Re: syncrepl simplification
Index(es):
- Chronological
- Thread