[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Nested group (was: groupOfEntries object class proposal)

To: simo <idra@samba.org>
Subject: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Wed, 19 Sep 2007 22:03:10 +0100
Cc: LDAP Extensions list <ldapext@ietf.org>
Content-disposition: inline
In-reply-to: <1190230354.31971.178.camel@localhost.localdomain>
References: <20070918110511.GF23300@tile.skills-1st.co.uk> <46F060CD.20008@eb2bcom.com> <20070919104644.GE12296@tile.skills-1st.co.uk> <1190210820.31971.105.camel@localhost.localdomain> <20070919152141.GH12296@tile.skills-1st.co.uk> <1190220132.31971.147.camel@localhost.localdomain> <20070919173257.GJ12296@tile.skills-1st.co.uk> <1190225315.31971.153.camel@localhost.localdomain> <20070919184304.GL12296@tile.skills-1st.co.uk> <1190230354.31971.178.camel@localhost.localdomain>
User-agent: Mutt/1.5.13 (2006-08-11)

On Wed, Sep 19, 2007 at 03:32:34PM -0400, simo wrote:

> Sorry but I see a fault here as well.
> Once you add, as a member, a user controlled by a foreign entity your
> security is already screwed if you don't trust that entity.
> If you trust it then you trust they will not try to use their power to
> exploit your system.

True, but the separation of attributes can limit how much of my
resource a malicious admin can give away.

Howard's suggestion of a limit on the 'expand groups' control leads to
another idea: split the nestedGroup attribute into two again:

	nestedGroupOfEntries
		The group entry that we point to can only contain
		leaf-nodes

	nestedRecursiveGroup
		The group entry that we point to may contain further
		nested groups as well as leaf-nodes.

That would give a structural way to limit the nesting of groups.
The expansion algorithm is now slightly larger, but not exactly
complex.

> That said, this example makes much more sense.

Thanks. The discussion is certainly helping me to clarify some ideas.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>

References:
- Re: [ldapext] groupOfEntries object class proposal
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] groupOfEntries object class proposal
  - From: Steven Legg <steven.legg@eb2bcom.com>
- [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>

Prev by Date: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
Next by Date: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
Index(es):
- Chronological
- Thread