OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Development/6198
Full headers

From: hyc@openldap.org
Subject: Authorization for extensions
Compose comment
Download message
State:
0 replies:
4 followups: 1 2 3 4

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 07 Jul 2009 02:38:18 +0000
From: hyc@openldap.org
To: openldap-its@OpenLDAP.org
Subject: Authorization for extensions
Full_Name: Howard Chu
Version: HEAD/2.5
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.91.220.157)
Submitted by: hyc


The access control mechanism needs to be extended to control actions, not just
objects, to control who may use various LDAP Controls and Extended Operations.

E.g.
  access to control=<oid> by <who>
  access to op=<operation or oid> by <who>

Perhaps the control= / op= specifier should be usable in combination with the
other <what> specifiers; I haven't thought too deeply about it. It only
makes
sense in limited contexts, since various extensions may not even affect any
particular directory object.

Followup 1

Download message
Date: Tue, 07 Jul 2009 09:38:38 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: hyc@OpenLDAP.org
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6198) Authorization for extensions
hyc@OpenLDAP.org wrote:
> Full_Name: Howard Chu
> Version: HEAD/2.5
> OS: 
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (76.91.220.157)
> Submitted by: hyc
> 
> 
> The access control mechanism needs to be extended to control actions, not
just
> objects, to control who may use various LDAP Controls and Extended
Operations.

+1

> E.g.
>   access to control=<oid> by <who>
>   access to op=<operation or oid> by <who>
                  ^^^^^^^^^
What is "operation" supposed to be? I'd prefer only to allow "oid" since
OIDs are the only identifiers clearly specified in RFCs and I-Ds.

Ciao, Michael.



Followup 2

Download message
Date: Tue, 07 Jul 2009 01:56:45 -0700
From: Howard Chu <hyc@symas.com>
To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6198) Authorization for extensions
Michael Str.der wrote:
> hyc@OpenLDAP.org wrote:
>> Full_Name: Howard Chu
>> Version: HEAD/2.5
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (76.91.220.157)
>> Submitted by: hyc
>>
>>
>> The access control mechanism needs to be extended to control actions,
not just
>> objects, to control who may use various LDAP Controls and Extended
Operations.
>
> +1
>
>> E.g.
>>    access to control=<oid>  by<who>
>>    access to op=<operation or oid>  by<who>
>                    ^^^^^^^^^
> What is "operation" supposed to be? I'd prefer only to allow "oid" since
> OIDs are the only identifiers clearly specified in RFCs and I-Ds.

Ugh, no. There's no way any sysadmin is going to remember what each OID means. 
Each exop will be given a "friendly name" like WhoAmI, ModifyPwd, etc.

Don't make the same mistake the original LDAP implementers did - numeric OIDs 
are for machine consumption only; they should always be mapped to mnemonic 
names for use by humans. (Technically they should be mapped to *localized* 
names; obviously the names were not intended to be part of the protocol 
specification. This is another glaring flaw in the LDAP specifications...)

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 3

Download message
Date: Tue, 07 Jul 2009 11:24:55 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: Howard Chu <hyc@symas.com>
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6198) Authorization for extensions
Howard Chu wrote:
> Michael Str.der wrote:
>> hyc@OpenLDAP.org wrote:
>>> Full_Name: Howard Chu
>>> Version: HEAD/2.5
>>> OS:
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (76.91.220.157)
>>> Submitted by: hyc
>>>
>>>
>>> The access control mechanism needs to be extended to control
actions,
>>> not just
>>> objects, to control who may use various LDAP Controls and Extended
>>> Operations.
>>
>> +1
>>
>>> E.g.
>>>    access to control=<oid>  by<who>
>>>    access to op=<operation or oid>  by<who>
>>                    ^^^^^^^^^
>> What is "operation" supposed to be? I'd prefer only to allow "oid"
since
>> OIDs are the only identifiers clearly specified in RFCs and I-Ds.
> 
> Ugh, no. There's no way any sysadmin is going to remember what each OID
> means.

There are tools to display them:
http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/??base

There also could be GUI tools to display ACLs to humans.

> Each exop will be given a "friendly name" like WhoAmI, ModifyPwd, 
> etc.

Who maintains the list of friendly names? Yes, the OpenLDAP project can
maintain a proprietary list like all other LDAP vendors do. :-(
Probably that's another topic for cross-vendor coordination...

Ciao, Michael.



Followup 4

Download message
Date: Tue, 07 Jul 2009 02:56:59 -0700
From: Howard Chu <hyc@symas.com>
To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6198) Authorization for extensions
Michael Str.der wrote:
> Howard Chu wrote:
>> Ugh, no. There's no way any sysadmin is going to remember what each OID
>> means.
>
> There are tools to display them:
> http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/??base
>
> There also could be GUI tools to display ACLs to humans.

None of which may be accessible when trying to diagnose a crashed system. It 
must always be practical to manually edit a slapd configuration.

>> Each exop will be given a "friendly name" like WhoAmI, ModifyPwd,
>> etc.

> Who maintains the list of friendly names? Yes, the OpenLDAP project can
> maintain a proprietary list like all other LDAP vendors do. :-(
> Probably that's another topic for cross-vendor coordination...

Interoperability is not a requirement for slapd configuration elements. 
However, any shortname already present in RFCs would be obvious first choices. 
E.g., "passwdModify" (RFC 3062, section 2) and "whoami" (RFC4532, section 2) 
(derived by dropping the letters "OID" from the name of the OID definition). 
Or just accept any oidmacros, as some of the other config items already do.

On that score I believe we should promote more pervasive use OID macros 
instead of numeric OIDs, because that greatly enhances comprehension by human 
administrators. I believe we should define macros for all of the syntaxes etc. 
already in common use in slapd and document them, guaranteeing that they will 
be available for everyone else who uses OpenLDAP to also take advantage of 
them. (Note that back-config already has several hardcoded, but they're 
decorated with "OM" prefix and not documented for public consumption. For real 
use they should be unadorned, using plain names such as "integer" or 
"directoryString" ...)

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org