Also, even if the server doesn't enforce the semantics, the end result is a benign failure. I.e., if someone puts the DN of a groupOfEntries into the member attribute of a group, the worst that can happen is that those group members will not get the privilege that group membership was intended to convey. You cannot introduce a security breach here by accidentally giving privilege to a larger member set than intended. Likewise, the worst that can happen by putting the DN of a non-group entry into a nestedGroup attribute is that that specific user will not have his intended privilege.Any divergence from the intended membership and the derived membership of a group used for security purposes can introduce a security breach. Any access control mechanism that allows an explicit denial of privilege would be an issue.
-- Pete
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext