[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: [ldapext] Nested group (was: groupOfEntries object class proposal)

To: "Howard Chu" <hyc@highlandsun.com>, "simo" <idra@samba.org>
Subject: RE: [ldapext] Nested group (was: groupOfEntries object class proposal)
From: "Neal-Joslin, Robert (HP-UX Lab R&D)" <bob.joslin@hp.com>
Date: Wed, 19 Sep 2007 19:39:18 -0000
Cc: Andrew Findlay <andrew.findlay@skills-1st.co.uk>, LDAP Extensions list <ldapext@ietf.org>
Content-class: urn:content-classes:message
In-reply-to: <46F16F02.1060807@highlandsun.com>
References: <1190220132.31971.147.camel@localhost.localdomain> <DD9F4CC53AE89944A5C825781D5E3090044982@MLNYC727MB.amrs.win.ml.com> <20070919180127.GK12296@tile.skills-1st.co.uk><1190225760.31971.161.camel@localhost.localdomain> <46F16F02.1060807@highlandsun.com>
Thread-index: Acf67y6WTtdqyKiFRDq/E8WOWrUP5gABQHJQ
Thread-topic: [ldapext] Nested group (was: groupOfEntries object class proposal)

> 
> > The problem is that you have a generic "DN" container that is given
> > specific semanthics. IE nestedGroupObject is supposed to 
> contain only
> > entries that have groupOfEntries as its STRUCTURAL class, 
> but you do not
> > enforce it. So it may contain anything. Same for member.
> 
> As usual, garbage-in-garbage-out. You can probably implement 
> enforcement in 
> the server, but that doesn't need to be mandated in the 
> specification. There 
> are plenty of standards track schema elements that use a very 
> general syntax, 
> but whose description says a value of a particular form is expected.
> 
> Also, even if the server doesn't enforce the semantics, the 
> end result is a 
> benign failure. I.e., if someone puts the DN of a 
> groupOfEntries into the 
> member attribute of a group, the worst that can happen is 
> that those group 
> members will not get the privilege that group membership was 
> intended to 
> convey. You cannot introduce a security breach here by 
> accidentally giving 
> privilege to a larger member set than intended. Likewise, the 
> worst that can 
> happen by putting the DN of a non-group entry into a 
> nestedGroup attribute is 
> that that specific user will not have his intended privilege.

What?  It seems to me you are assuming how the security policy makes
use of the group (only for granting of privledge).  Membership in a
group can also (and is) used by a security policy to DENY access.
This is one reason I brought up my original concern.


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>
- RE: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: "Liben, Michael \(GTI\)" <michael_liben@ml.com>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
Next by Date: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
Index(es):
- Chronological
- Thread