[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4497) don't proxyAuthz the bound identity?

Full_Name: Pierangelo Masarati
Version: HEAD,re23,re24
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: ando

When idassert is appropriate, back-ldap currently idasserts even if the
proxyAuthz identity is the same identity that is already bound.  This is
redundant, and, moreover, requires proxyAuthz privileges on those DSAs that
implement it (OpenLDAP doesn't care, as one can always authz as self).

I suggest (1) to avoid idasserting self in those cases; (2) if this behavior is
to any extent acceptable or even desirable, I suggest it's made optional.

A patch for (1) is coming.