[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)



Quanah,

you don't have to go through many examples --- your problem is clear and
well posed.  It's the solution: if the user has enough privilege to check
membership but, for implementation-related reasons, the software requires
higher privileges while gathering data, the solution is not to hack the
software raising the privileges of whom does internal data gathering,
because that would gather also data the user wouldn't be allowed to check.

The solution rather consists in making the software require as much
privilege as actually required for the actual operation, anything more
anything less, even during internal operations used to gather the data. 
The software was using an internal search as is, i.e. requiring "search"
on the filter and "read" on the data while actually gathering data for a
"compare", and the software was wrong (I guess there are many more places
where internal searches are used like that, sigh).  The fix is making the
software require "compare" in all those phases, since as soon as they're a
mere technicalism to gather data for a compare, that's the privilege they
should require.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------