[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5555) authzTo ACL check for wrong principal

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5555) authzTo ACL check for wrong principal
From: h.b.furuseth@usit.uio.no
Date: Mon, 16 Jun 2008 12:45:53 GMT

andrew.findlay@skills-1st.co.uk writes:
> You are right: if I just grant 'auth' access to 'authzTo' the proxy
> authorisation succeeds. The philisophy makes sense so I will try to
> come up with a suitable patch to the Admin Guide describing how to use
> it. At the moment the only note about this is in the ACL Examples
> (7.2.5 at present) which says that authentication/authorization
> is always done anonymously - obviously not entirely true.

If non-anonymous access is needed, the slapd.access(5) manpage needs an
update too.  (Or instead, to avoid duplicating text.)  Currently it just
says:

    Auth (=x) privileges are also required on the authzTo attribute
    of the authorizing identity and/or on the authzFrom attribute of
    the authorized identity.

but it doesn't mention to who needs that auth access.

-- 
Hallvard

Prev by Date: (ITS#5563) Seg. fault if URL used in ServerID without any listener
Next by Date: Re: (ITS#5561) SEGV using TLS/SASL
Index(es):
- Chronological
- Thread