[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/overlays dyngroup.c

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: commit: ldap/servers/slapd/overlays dyngroup.c
From: Howard Chu <hyc@symas.com>
Date: Thu, 23 Aug 2007 13:09:29 -0700
Cc: OpenLDAP Commit <openldap-commit2devel@openldap.org>
In-reply-to: <46CDE355.6080601@sys-net.it>
References: <200708222340.l7MNe9WD041964@cantor.openldap.org> <46CD495F.1010201@sys-net.it> <46CDB66E.6020401@symas.com> <46CDD4B8.4010108@sys-net.it> <46CDD84F.9060302@symas.com> <46CDDC42.4090500@sys-net.it> <46CDE22B.3060705@symas.com> <46CDE355.6080601@sys-net.it>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a8pre) Gecko/2007082216 SeaMonkey/2.0a1pre

Pierangelo Masarati wrote:

Howard Chu wrote:

A dgPolicy flag could determine what behavior, in case of no compliance
with policy, should be taken: either (a) or (b), or none.

dgAuthz seems like overkill. If the user has read/search privs on the
group entry, that ought to be sufficient.


I disagree: by running an internal operation with dgIdentity, and
returning the results of that operation, you'd break the security model
of OpenLDAP.  In fact, a dynamic group can unveal data that would
otherwise be inaccessible to a user.  In fact, only running the search
with the user's identity guarantees the security model is not broken,
but dgAuthz, at least, gives some granularity.  This doesn't break
either backwards compatibility nor draft-haripriya-dynamicgroup: those
who want to stick with it only have to ignore dgAuthz.

If I create a group and give a user access to read the "member" attribute of that group, then I wanted them to be able to read that attribute, period. I don't care how the contents of that member attribute got populated.

If there is something in there that a particular user should not know about, then they simply should not have access to the entry/attribute in the first place.

As far as security goes, I think it is far more important that dyngroups behave *consistently*, such that when they are used in ACLs, they always return a predictable result. I.e., a static group yields the same information no matter how it is used or who is using it. A dyngroup should do the same (given that its constituent data remains unchanged). -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Follow-Ups:
- Re: commit: ldap/servers/slapd/overlays dyngroup.c
  - From: Howard Chu <hyc@symas.com>

References:
- Re: commit: ldap/servers/slapd/overlays dyngroup.c
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: commit: ldap/servers/slapd/overlays dyngroup.c
  - From: Howard Chu <hyc@symas.com>
- Re: commit: ldap/servers/slapd/overlays dyngroup.c
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: commit: ldap/servers/slapd/overlays dyngroup.c
  - From: Howard Chu <hyc@symas.com>
- Re: commit: ldap/servers/slapd/overlays dyngroup.c
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: commit: ldap/servers/slapd/overlays dyngroup.c
  - From: Howard Chu <hyc@symas.com>
- Re: commit: ldap/servers/slapd/overlays dyngroup.c
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: commit: ldap/servers/slapd/overlays dyngroup.c
Next by Date: Re: commit: ldap/servers/slapd/overlays dyngroup.c
Index(es):
- Chronological
- Thread