[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5555) authzTo ACL check for wrong principal

andrew.findlay@skills-1st.co.uk writes:
> You are right: if I just grant 'auth' access to 'authzTo' the proxy
> authorisation succeeds. The philisophy makes sense so I will try to
> come up with a suitable patch to the Admin Guide describing how to use
> it. At the moment the only note about this is in the ACL Examples
> (7.2.5 at present) which says that authentication/authorization
> is always done anonymously - obviously not entirely true.

If non-anonymous access is needed, the slapd.access(5) manpage needs an
update too.  (Or instead, to avoid duplicating text.)  Currently it just

    Auth (=x) privileges are also required on the authzTo attribute
    of the authorizing identity and/or on the authzFrom attribute of
    the authorized identity.

but it doesn't mention to who needs that auth access.