[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-zeilenga-ldap-assert-05 notes

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 24 Feb 2005 21:18:49 +0100
Cc: ldapext@ietf.org
In-reply-to: <6.2.0.14.0.20050223215702.06a15670@mail.openldap.org>
References: <hbf.20050223mdue@bombur.uio.no> <6.2.0.14.0.20050223215702.06a15670@mail.openldap.org>

Kurt D. Zeilenga writes:
>At 09:35 AM 2/23/2005, Hallvard B Furuseth wrote:
>>draft-zeilenga-ldap-assert-05.txt says:
>>> 4.  Security Considerations
>>>
>>>   As with any general assertion mechanism, the mechanism can be used to
>>>   determine directory content.  Hence, this mechanism SHOULD be subject
>>>   to appropriate access controls.
>>
>>I suggest to add something like:
>>
>>    ... preferably the same access controls as search filters.
>
> Is there a search reason behind this preference?

It seemed to fit best the few access control models I know of.  If a
baseobject search for "(&)" or "(objectClass=*)" returns the entry but a
search for some other filter does not, I think Modify with an assertion
of that filter should cause assertionFailed.  But I must admit I haven't
thought through all the variants of this control and access controls
even in the models I do know.

> I rather not state a preference as part of a security considerations
> unless there is a good security related reason for that preference.

The security reason I'm aware of is that I got it very wrong the
first time I thought of implementing access controls for this control.

>> The implementor might find the same access controls as for Compare
>> natural, but the server admin might e.g. not want substring matching to
>> be possible - and he could have written the Compare ACLs knowing that
>> Compare can't do substring matching.  Or one might mistakenly use the
>> same ACLs as for the "basic" operation being performed, e.g. Modify.
>
> It seems to be your statements depend greatly on what the
> access control model is...  I can certainly envision models
> where that would not be a mistake.

Can you give an example?  Hypothetical or not.


BTW, another point:  The draft says

>  When the control is attached to an LDAP request, the processing of the
>  request is conditional on the evaluation of the Filter as applied
>  against the target of the operation.

Except that the control should not prevent the return of a referral, I
presume.

-- 
Hallvard

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: [ldapext] comment control, dummy request, no-response request
Next by Date: Re: [ldapext] draft-behera-ldap-password-policy - last login time
Index(es):
- Chronological
- Thread