[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxy authorization

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: proxy authorization
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 22 Nov 2003 17:55:59 +0100
Cc: openldap-devel@OpenLDAP.org
References: <00c301c35f86$63600780$0e01a8c0@CELLO>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Howard Chu wrote:

Given that we have a proxyAuthz control now, which can cause particular operations on a session to be performed on behalf of another user, there's a bit of a gap in the feature set. Binds need to be proxiable too - given a scenario with a privileged user connected to slapd, performing ops on behalf of other users, we still need a way to verify the identify of a requestor.

I have another scenario: a user authenticated to a server with distributed subtrees; the user is authenticated to one of the remote subtrees, so he is bound for the remote subtree (direct bind) and for the proxy server (authenticated by the remote server), so there should be a way the proxy server propagates the user authorization to the other remote subtrees. This should also be true if the user is authenticated locally at the proxy server, which is a subcase of the former scenario.

I wonder if the "overlay chain" has anything to do with this ... Am I reinventing the wheel?

Ando.

+----------------------------------------------------------------------------+
|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:+390382476497    |
+----------------------------------------------------------------------------+

Prev by Date: Re: commit: ldap/servers/slapd/slapi TODO
Next by Date: Re: Operation thread-safe
Index(es):
- Chronological
- Thread