[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5555) authzTo ACL check for wrong principal

andrew.findlay@skills-1st.co.uk wrote:

> When using "authz-policy to" I find that the entity that is trying to do an
> operation on behalf of another entity needs read access to its own authzTo
> attribute.
> This seems wrong: authzTo is defining what the user may do: I do not really want
> them to be able to see it. When doing a proxy authz I think ACLs for this
> attribute should not be checked at all as the access is effectively being done
> by the rootdn.

AFAIK, access to that attribute is checked using AUTH rather than read. 
  The idea is that ACLs should allow to fine-grain control who is 
allowed to exploit the authorization feature while giving up as little 
as possible (e.g. AUTH instead of READ).


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it