[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxy authorization

Howard Chu wrote:

Given that we have a proxyAuthz control now, which can cause particular
operations on a session to be performed on behalf of another user, there's a
bit of a gap in the feature set. Binds need to be proxiable too - given a
scenario with a privileged user connected to slapd, performing ops on behalf
of other users, we still need a way to verify the identify of a requestor.

I have another scenario: a user authenticated to a server with distributed subtrees;
the user is authenticated to one of the remote subtrees, so he is bound for the
remote subtree (direct bind) and for the proxy server (authenticated by the remote
server), so there should be a way the proxy server propagates the user authorization
to the other remote subtrees. This should also be true if the user is authenticated
locally at the proxy server, which is a subcase of the former scenario.

I wonder if the "overlay chain" has anything to do with this ... Am I reinventing the


|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:+390382476497    |