[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP enhancements

On Mon, Aug 09, 1999 at 04:36:12PM -0400, Mark Valence wrote:
> A related change that I'd like to make is the addition of "secure" 
> permissions.  For example, I'd like to be able to do something like 
> this:
>      access to attr=privateAttr by * secureread
> What secureread (and securewrite, etc.) means is that the connection 
> over which the reading (writing) is happening is secure (via SASL/TLS 
> SSL).  What I'm looking for is on-the-wire security enforced for 
> certain attributes.
> Doing secureread/securewrite seems really easy, from my current 
> understanding of the source.  Also, adding dynamic configuration of 
> ACLs though LDAP seems pretty straightforward.  I want to do it 
> right, though, and comments like David's are right on the mark (as 
> are others that I have received in private e-mail).

Actually you can already do this in the -devel branch I believe by using
the url based acls and setting it so it's only accesible via the secure
url (the ssl port).

Not sure how this will work when SASL support is complete (setting acls
based on the SASL method chosen?).