[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Dynamic group draft

To: "Haripriya S" <SHARIPRIYA@novell.com>
Subject: Re: [ldapext] Dynamic group draft
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Sun, 11 Feb 2007 10:46:19 +0100 (CET)
Cc: Jim Sermersheim <jimse.prv-6.provo@novell.com>, Ldapext <ldapext@ietf.org>
Importance: Normal
In-reply-to: <45CE0F35.F25D.00B6.0@novell.com>
References: <45CA6D24.801@highlandsun.com> <45CCE420.4040600@sys-net.it> <45CE0F35.F25D.00B6.0@novell.com>
User-agent: SquirrelMail/1.4.3a-1

> One of the use-cases of dynamic group is to set a dynamic group as an ACL
> Trustee for a resource. For use in this situation, using the user's
> identity could be a problem with respect to both security and consistency.
> Imagine a case where a deny ACL is set using the dynamic group as a
> trustee with the expectation that the members of the dynamic group will
> match that. Now if the members get limited by the user's search rights,
> then an access could be granted where it should have not been. Using a
> separate identity (eg. dgIdentity) builds consistency and predictability
> into the dynamic group member list.
>
> imho the members of a dynamic group should be based on the intention of
> the administrator - not based on the rights of the user. However who can
> read the dynamic group attributes can be limited by the ACLs on the DG
> object.

I get the point, and I understand that your reasons are valid, but I think
the two points we're trying to make are different.

Your point makes sense when the group is being used for access control. 
For example, in OpenLDAP, under some circumstances, internal searches are
performed as the rootdn, since they are intended to collect data for
special purposes and not to operate on them on behalf of the client.  This
is the case, for example, of ACL checking: if internal lookups for ACL
checking were performed with the client's identity, there would be a
chicken and egg problem, where client's access to data used for ACL
checking would need to be checked.

But the draft, as it is now, seems to requirethat  __any__ access to the
internal data be performed as dgIdentity, including direct access, like
listing the dynamic group member.  I believe this should be an option; the
draft should allow the owner of the dynamic group to decide how users can
access the data.  I don't mind if the default is dgIdentity, or anonymous
or the client's identity, but there should be the possibility to use both
(anonymous can be a special case of dgIdentity with the empty DN).

Cheers, p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] Dynamic group draft
  - From: Howard Chu <hyc@highlandsun.com>
- Re: [ldapext] Dynamic group draft
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: [ldapext] Dynamic group draft
  - From: "Haripriya S" <SHARIPRIYA@novell.com>

Prev by Date: Re: [ldapext] Dynamic group draft
Next by Date: Re: [ldapext] Dynamic group draft
Index(es):
- Chronological
- Thread