Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

[Howard Chu <hyc@symas.com>]

Pierangelo Masarati wrote:

> Howard Chu wrote:
>
> > > For the realdn, I'm currently assuming that the only place where 
> > > identity may change is inside parseProxyAuthz(); I added a o_realndn 
> > > field to the operation structure; this field is supposed to be 
> > > BER_BVNULL unless proxyAuthz occurred; if it is NULL, the "realdn" 
> > > clause, if present, is evaluated using the o_ndn field; if it is not 
> > > null, it behaves as expected.  Maybe, in case of SASL bind, we could 
> > > store in o_ndn the constructed DN before authz via authz-regexp rules.
> >
> > Does this really belong in op->o_realndn? Perhaps we should have it 
> > back in conn->c_dn.
>
> You mean: directly use conn->c_dn instead of copying it in op->o_realndn?

Right.

> > As for storing the DN prior to authz-regexp, I'm inclined to 
> > disagree. The result of regexp mapping is still an authcDN, not an 
> > authzDN, and I'm not convinced that we need to refer back to the 
> > SASLDN after mapping has been done.
> right.

The patch looks good, but now I see that I was overlooking something. We 
don't preserve the authcDN if someone does a SASL Bind with proxy 
authorization. In that case we actually need to store both an authcDN 
and an authzDN in the Connection structure, if we really want to handle 
that case. Otherwise, what we have now should work for the proxyAuth 
control, which is good.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support