[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5555) authzTo ACL check for wrong principal

andrew.findlay@skills-1st.co.uk wrote:
> On Mon, Jun 16, 2008 at 08:06:17PM +0200, Pierangelo Masarati wrote:
>> Ah, OK.  Note that since some point in 2.3, authorization is described 
>> by a specific syntax <http://www.openldap.org/faq/data/cache/1254.html>, 
>> which should probably be advertised a bit more (and moved out from the 
>> experimental OID arc).
> If that is used *everywhere* for authorisation then there could well
> be more doc errors to correct. I am fairly sure I saw one place where
> the docs specifically exclude some of those forms.

Yes, I believe in some cases some of the variants of the syntax are not 
allowed.  This is true, for example, in SASL identity mapping, which 
does not allow the regex, subtree, children, onelevel, group and users 
styles, only the base and uri forms are allowed (provided the latter 
only returns a single match).

> I notice that '*' excludes anonymous in this spec. There is an
> undocumented option to 'allow' that seems relevant: proxy_authz_anon -

Why undocumented?  It is documented (in 2.4, at least; it does not exist 
for 2.3).

> would allowing this cause anon to be included in '*' generally or is
> it not that simple?

'*' implies a non-empty value; to include anonymous, use "dn.regex:.*", 
or "dn.subtree:".


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it