[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 03 Apr 2005 10:44:01 -0700
Cc: Howard Chu <hyc@symas.com>, openldap-devel@OpenLDAP.org
In-reply-to: <424F907B.7010609@sys-net.it>
References: <200504020834.j328Y8WM008484@boole.openldap.org> <424E9AE0.2090203@sys-net.it> <6.2.1.2.0.20050402080426.072eef80@mail.openldap.org> <424ECED5.6010309@sys-net.it> <6.2.1.2.0.20050402090705.0278b3b8@mail.openldap.org> <424F14B9.9050306@symas.com> <424F1949.60301@sys-net.it> <424F28EC.7050001@symas.com> <424F29BC.3070803@sys-net.it> <424F3B3C.1010703@symas.com> <6.2.1.2.0.20050402181741.066d0b08@mail.openldap.org> <424F907B.7010609@sys-net.it>

At 10:43 PM 4/2/2005, Pierangelo Masarati wrote:
>The patch is mainly intended as a fast prototyping of the feature, and to provide the ACL-side support (parsing & evaluation).  Now, to handle the SASL authz feature all we need is properly feed the realndn (currently c_ndn, but we can easily revert to o_realndn if there's other requirements about how to feed it). 

I suspect we're all agreeing.  I think your code is fine and
appears safe to commit.

Just to be sure, here is an identity mapping summary as it
relates to subject identities (the identity subject to access
controls).

When simple bind is used, the bind name is not only the
authcId and authzId, but these directly to the authcDN and
authzDN.  When SASL bind is used, the authcID and authzID
are not only possible different, but each is mapped to
produce the authcDN and authzDN.  When the proxy authorization
control, a new authzId is provided by the client, which through
mapping generates a new authzDN.  The real subject should be
the authcDN, the effective subject is the authzDN.

Kurt

Follow-Ups:
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Next by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Index(es):
- Chronological
- Thread