[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Nested group (was: groupOfEntries object class proposal)

To: Pete Rowley <prowley@redhat.com>
Subject: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
From: Howard Chu <hyc@highlandsun.com>
Date: Wed, 19 Sep 2007 12:50:12 -0700
Cc: LDAP Extensions list <ldapext@ietf.org>, Andrew Findlay <andrew.findlay@skills-1st.co.uk>, simo <idra@samba.org>
In-reply-to: <46F17719.8020302@redhat.com>
References: <1190220132.31971.147.camel@localhost.localdomain> <DD9F4CC53AE89944A5C825781D5E3090044982@MLNYC727MB.amrs.win.ml.com> <20070919180127.GK12296@tile.skills-1st.co.uk> <1190225760.31971.161.camel@localhost.localdomain> <46F16F02.1060807@highlandsun.com> <46F17719.8020302@redhat.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a8pre) Gecko/2007091708 SeaMonkey/2.0a1pre

Pete Rowley wrote:

Howard Chu wrote:
Also, even if the server doesn't enforce the semantics, the end result is a benign failure. I.e., if someone puts the DN of a groupOfEntries into the member attribute of a group, the worst that can happen is that those group members will not get the privilege that group membership was intended to convey. You cannot introduce a security breach here by accidentally giving privilege to a larger member set than intended. Likewise, the worst that can happen by putting the DN of a non-group entry into a nestedGroup attribute is that that specific user will not have his intended privilege.

Any divergence from the intended membership and the derived membership of a group used for security purposes can introduce a security breach. Any access control mechanism that allows an explicit denial of privilege would be an issue.


Right, point taken, thanks.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>
- RE: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: "Liben, Michael \(GTI\)" <michael_liben@ml.com>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Howard Chu <hyc@highlandsun.com>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Pete Rowley <prowley@redhat.com>

Prev by Date: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
Next by Date: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
Index(es):
- Chronological
- Thread