[Date Prev][Date Next]
Re: authzTo ACL check for wrong principal (ITS#5555)
Gavin Henry wrote:
>> On Mon, Jun 16, 2008 at 02:29:21PM +0000, Andrew Findlay wrote:
>>> Thus I think my original report was wrong. This is a documentation
>>> issue, not a bug.
>> I have uploaded a suggested set of patches to make the behaviour
>> The patch is against 2.4.10
>> It might be better still to factor out the concept of proxy
>> authorisation and its control from the SASL authz mechanism, as it
>> applies also to the LDAP Proxied Authorization Control.
>> I have not done this as I was unsure where best to put it.
> Hi Ando,
> If you get a chance at some point, could you review this patch and I'll apply it
After a quick look, it seems to be a good starting point. I'd be a
little bit more careful about wording: "proxyAuthz" should probably be
"proxied authorization"; the first time it is mentioned, a reference to
RFC4370 should be present, both in slapd.access(5) and in the Admin
Guide (as in the SASL section).
Also, in the contribution to the Admin Guide it is sometimes referred to
as the "proxy facility"; I'd rather use "proxied authorization facility"
or better "proxied authorization control".
Finally, the patch seems to correctly explain what is required in order
to authorize. I'd add a strong comment on the importance to protect
authzFrom and especially authzTo from malicious writes, that could
result in lesser privileged identities to modify their own entry in
order to be able to self-authorize as higher privileged identities.
Administrators should be warned as they start reading about this feature.
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497