Logged in as guest
Viewing Development/6198 Full headers
Major security issue: yes no
Notes: Notification:
Date: Tue, 07 Jul 2009 02:38:18 +0000 From: hyc@openldap.org To: openldap-its@OpenLDAP.org Subject: Authorization for extensions
Full_Name: Howard Chu Version: HEAD/2.5 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.91.220.157) Submitted by: hyc The access control mechanism needs to be extended to control actions, not just objects, to control who may use various LDAP Controls and Extended Operations. E.g. access to control=<oid> by <who> access to op=<operation or oid> by <who> Perhaps the control= / op= specifier should be usable in combination with the other <what> specifiers; I haven't thought too deeply about it. It only makes sense in limited contexts, since various extensions may not even affect any particular directory object.
Date: Tue, 07 Jul 2009 09:38:38 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: hyc@OpenLDAP.org CC: openldap-its@OpenLDAP.org Subject: Re: (ITS#6198) Authorization for extensions
hyc@OpenLDAP.org wrote: > Full_Name: Howard Chu > Version: HEAD/2.5 > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (76.91.220.157) > Submitted by: hyc > > > The access control mechanism needs to be extended to control actions, not just > objects, to control who may use various LDAP Controls and Extended Operations. +1 > E.g. > access to control=<oid> by <who> > access to op=<operation or oid> by <who> ^^^^^^^^^ What is "operation" supposed to be? I'd prefer only to allow "oid" since OIDs are the only identifiers clearly specified in RFCs and I-Ds. Ciao, Michael.
Date: Tue, 07 Jul 2009 01:56:45 -0700 From: Howard Chu <hyc@symas.com> To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> CC: openldap-its@OpenLDAP.org Subject: Re: (ITS#6198) Authorization for extensions
Michael Str.der wrote: > hyc@OpenLDAP.org wrote: >> Full_Name: Howard Chu >> Version: HEAD/2.5 >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (76.91.220.157) >> Submitted by: hyc >> >> >> The access control mechanism needs to be extended to control actions, not just >> objects, to control who may use various LDAP Controls and Extended Operations. > > +1 > >> E.g. >> access to control=<oid> by<who> >> access to op=<operation or oid> by<who> > ^^^^^^^^^ > What is "operation" supposed to be? I'd prefer only to allow "oid" since > OIDs are the only identifiers clearly specified in RFCs and I-Ds. Ugh, no. There's no way any sysadmin is going to remember what each OID means. Each exop will be given a "friendly name" like WhoAmI, ModifyPwd, etc. Don't make the same mistake the original LDAP implementers did - numeric OIDs are for machine consumption only; they should always be mapped to mnemonic names for use by humans. (Technically they should be mapped to *localized* names; obviously the names were not intended to be part of the protocol specification. This is another glaring flaw in the LDAP specifications...) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Tue, 07 Jul 2009 11:24:55 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: Howard Chu <hyc@symas.com> CC: openldap-its@OpenLDAP.org Subject: Re: (ITS#6198) Authorization for extensions
Howard Chu wrote: > Michael Str.der wrote: >> hyc@OpenLDAP.org wrote: >>> Full_Name: Howard Chu >>> Version: HEAD/2.5 >>> OS: >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (76.91.220.157) >>> Submitted by: hyc >>> >>> >>> The access control mechanism needs to be extended to control actions, >>> not just >>> objects, to control who may use various LDAP Controls and Extended >>> Operations. >> >> +1 >> >>> E.g. >>> access to control=<oid> by<who> >>> access to op=<operation or oid> by<who> >> ^^^^^^^^^ >> What is "operation" supposed to be? I'd prefer only to allow "oid" since >> OIDs are the only identifiers clearly specified in RFCs and I-Ds. > > Ugh, no. There's no way any sysadmin is going to remember what each OID > means. There are tools to display them: http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/??base There also could be GUI tools to display ACLs to humans. > Each exop will be given a "friendly name" like WhoAmI, ModifyPwd, > etc. Who maintains the list of friendly names? Yes, the OpenLDAP project can maintain a proprietary list like all other LDAP vendors do. :-( Probably that's another topic for cross-vendor coordination... Ciao, Michael.
Date: Tue, 07 Jul 2009 02:56:59 -0700 From: Howard Chu <hyc@symas.com> To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> CC: openldap-its@OpenLDAP.org Subject: Re: (ITS#6198) Authorization for extensions
Michael Str.der wrote: > Howard Chu wrote: >> Ugh, no. There's no way any sysadmin is going to remember what each OID >> means. > > There are tools to display them: > http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/??base > > There also could be GUI tools to display ACLs to humans. None of which may be accessible when trying to diagnose a crashed system. It must always be practical to manually edit a slapd configuration. >> Each exop will be given a "friendly name" like WhoAmI, ModifyPwd, >> etc. > Who maintains the list of friendly names? Yes, the OpenLDAP project can > maintain a proprietary list like all other LDAP vendors do. :-( > Probably that's another topic for cross-vendor coordination... Interoperability is not a requirement for slapd configuration elements. However, any shortname already present in RFCs would be obvious first choices. E.g., "passwdModify" (RFC 3062, section 2) and "whoami" (RFC4532, section 2) (derived by dropping the letters "OID" from the name of the OID definition). Or just accept any oidmacros, as some of the other config items already do. On that score I believe we should promote more pervasive use OID macros instead of numeric OIDs, because that greatly enhances comprehension by human administrators. I believe we should define macros for all of the syntaxes etc. already in common use in slapd and document them, guaranteeing that they will be available for everyone else who uses OpenLDAP to also take advantage of them. (Note that back-config already has several hardcoded, but they're decorated with "OM" prefix and not documented for public consumption. For real use they should be unadorned, using plain names such as "integer" or "directoryString" ...) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
