[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
>
> I know how I would expect some servers to handle this control, but I don't
> think that guidance would necessarily apply to other access control
> models.
> I can offer the following text which might address Hallvard's concerns as
> I
> understand them.
>
> Access control policy SHOULD be applied to processing of the assertion
> control value. Use of the assertion control might enable a client to
> obtain information about an entry it does not have authority to. A result
> code associated with authority to evaluate the control assertion ( e.g.
> insufficientAccess or assertionFailed) might also reveal information that
> violates access control policy; in such cases, the result code should be
> dictated by the access control policy.
There's some development ongoing in OpenLDAP's slapd on this; it's not in
a very representative piece of software though (back-sql), but I'm
planning to extend it to other backends. All operations support the
draft-zeilenga-ldap-assert control, and, whenever appropriate, if an error
is to be returned, including assertionFailed, the associated object is
checked for "disclose" access to the "entry" pseudo-attribute. If no
disclose access is granted, noSuchObject is returned instead of the real
error. Regular access checks related to filter testing apply.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext