[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL, slapd internal searches

> A little while back I committed some changes to the sasl/saslauthz code
> to make sure that it enforced ACLs on all the internal searches it
> performs. I think some of these changes are wrong/unnecessary. Really,
> the point of an ACL is to control what an external user can see/touch.
> When slapd is performing a search to map an authID to a DN, I think this
> should be treated as a root-privileged operation, ignoring access
> controls. Aside from the DN itself, nothing about the entry is ever
> exposed to any external user. Comments?

I did not study your changes; however, I think you should ensure
that authz code does have the necessary auth permissions, such
that an administrator is given the possibility to control how
the auth/authz process takes place, and to inhibit some forms of
it by means of ACL.  I think this is the spirit of the auth
permission level.


Pierangelo Masarati