Re: (ITS#5555) authzTo ACL check for wrong principal

[andrew.findlay@skills-1st.co.uk]

On Mon, Jun 16, 2008 at 02:45:43PM +0200, Hallvard B Furuseth wrote:

> If non-anonymous access is needed, the slapd.access(5) manpage needs an
> update too.  (Or instead, to avoid duplicating text.)  Currently it just
> says:
> 
>     Auth (=x) privileges are also required on the authzTo attribute
>     of the authorizing identity and/or on the authzFrom attribute of
>     the authorized identity.
> 
> but it doesn't mention to who needs that auth access.

It is the authenticated ID that needs access in both cases. On further
thought I think it is correct that the access is checked without
reference to whether that ID has access to entry and parent entries,
as (particularly in the case of authzFrom) the authenticated ID may
not have any direct access to the entry whose ID it is about to
assume.

Thus, if principal A has authenticated and wishes to perform an
operation using principal B's authorisation, the access required is:

	A needs auth access to authzTo in its own entry if that attribute
	is involved in giving A permission to act for B.

	A needs auth access to authzFrom in B's entry if that attribute
	is involved in giving A permission to act for B.

The rules are the same whether using a SASL authorization identity or
using a ProxyAuth control on an LDAP operation.

Thus I think my original report was wrong. This is a documentation
issue, not a bug.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------