[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
Pete Rowley wrote:
Howard Chu wrote:
Also, even if the server doesn't enforce the semantics, the end result
is a benign failure. I.e., if someone puts the DN of a groupOfEntries
into the member attribute of a group, the worst that can happen is
that those group members will not get the privilege that group
membership was intended to convey. You cannot introduce a security
breach here by accidentally giving privilege to a larger member set
than intended. Likewise, the worst that can happen by putting the DN
of a non-group entry into a nestedGroup attribute is that that
specific user will not have his intended privilege.
Any divergence from the intended membership and the derived membership
of a group used for security purposes can introduce a security breach.
Any access control mechanism that allows an explicit denial of
privilege would be an issue.
Right, point taken, thanks.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext