[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

Kurt D. Zeilenga wrote:

At 04:39 PM 4/2/2005, Howard Chu wrote:

The patch looks good, but now I see that I was overlooking something. We don't preserve the authcDN if someone does a SASL Bind with proxy authorization. In that case we actually need to store both an authcDN and an authzDN in the Connection structure, if we really want to handle that case. Otherwise, what we have now should work for the proxyAuth control, which is good.

Right. Note that with SASL proxying and LDAP proxying, one
can multiple levels of proxying. But, for simplicity,
we just need to know what the real (authcDN) is and the
effective (authzDN) is. The intermediate identities
don't need to be subjects in the access control policy.

The patch is mainly intended as a fast prototyping of the feature, and to provide the ACL-side support (parsing & evaluation). Now, to handle the SASL authz feature all we need is properly feed the realndn (currently c_ndn, but we can easily revert to o_realndn if there's other requirements about how to feed it).


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497