[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sun, 03 Apr 2005 08:43:07 +0200
Cc: Howard Chu <hyc@symas.com>, openldap-devel@OpenLDAP.org
In-reply-to: <6.2.1.2.0.20050402181741.066d0b08@mail.openldap.org>
References: <200504020834.j328Y8WM008484@boole.openldap.org> <424E9AE0.2090203@sys-net.it> <6.2.1.2.0.20050402080426.072eef80@mail.openldap.org> <424ECED5.6010309@sys-net.it> <6.2.1.2.0.20050402090705.0278b3b8@mail.openldap.org> <424F14B9.9050306@symas.com> <424F1949.60301@sys-net.it> <424F28EC.7050001@symas.com> <424F29BC.3070803@sys-net.it> <424F3B3C.1010703@symas.com> <6.2.1.2.0.20050402181741.066d0b08@mail.openldap.org>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Kurt D. Zeilenga wrote:

At 04:39 PM 4/2/2005, Howard Chu wrote:

The patch looks good, but now I see that I was overlooking something. We don't preserve the authcDN if someone does a SASL Bind with proxy authorization. In that case we actually need to store both an authcDN and an authzDN in the Connection structure, if we really want to handle that case. Otherwise, what we have now should work for the proxyAuth control, which is good.

Right. Note that with SASL proxying and LDAP proxying, one can multiple levels of proxying. But, for simplicity, we just need to know what the real (authcDN) is and the effective (authzDN) is. The intermediate identities don't need to be subjects in the access control policy.

The patch is mainly intended as a fast prototyping of the feature, and to provide the ACL-side support (parsing & evaluation). Now, to handle the SASL authz feature all we need is properly feed the realndn (currently c_ndn, but we can easily revert to o_realndn if there's other requirements about how to feed it).

p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Next by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Index(es):
- Chronological
- Thread