Re: [ldapext] draft-zeilenga-ldap-assert-05 notes

["Pierangelo Masarati" <ando@sys-net.it>]

>
> I know how I would expect some servers to handle this control, but I don't
> think that guidance would necessarily apply to other access control
> models.
> I can offer the following text which might address Hallvard's concerns as
> I
> understand them.
>
> Access control policy SHOULD be applied to processing of the assertion
> control value.  Use of the assertion control might enable a client to
> obtain information about an entry it does not have authority to.  A result
> code associated with authority to evaluate the control assertion ( e.g.
> insufficientAccess or assertionFailed) might also reveal information that
> violates access control policy; in such cases, the result code should be
> dictated by the access control policy.

There's some development ongoing in OpenLDAP's slapd on this; it's not in
a very representative piece of software though (back-sql), but I'm
planning to extend it to other backends.  All operations support the
draft-zeilenga-ldap-assert control, and, whenever appropriate, if an error
is to be returned, including assertionFailed, the associated object is
checked for "disclose" access to the "entry" pseudo-attribute.  If no
disclose access is granted, noSuchObject is returned instead of the real
error.  Regular access checks related to filter testing apply.


p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext