[Date Prev][Date Next]
Re: (ITS#5555) authzTo ACL check for wrong principal
> You are right: if I just grant 'auth' access to 'authzTo' the proxy
> authorisation succeeds. The philisophy makes sense so I will try to
> come up with a suitable patch to the Admin Guide describing how to use
> it. At the moment the only note about this is in the ACL Examples
> (7.2.5 at present) which says that authentication/authorization
> is always done anonymously - obviously not entirely true.
If non-anonymous access is needed, the slapd.access(5) manpage needs an
update too. (Or instead, to avoid duplicating text.) Currently it just
Auth (=x) privileges are also required on the authzTo attribute
of the authorizing identity and/or on the authzFrom attribute of
the authorized identity.
but it doesn't mention to who needs that auth access.