[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

> I suspect we're all agreeing.  I think your code is fine and
> appears safe to commit.

OK, the patch is committed, accounting for Howard's comments, and Howard
committed a fix to SASL bind that should keep the authcDN and the authzDN
separate and accessed accordingly for "realdn" vs. "dn" ACL evaluation.  I
say "should" because I couldn't put my hands on the code yet, but I'm
positive the feature is now working as intended.  I'll add some tests to

Ciao, p.

> Just to be sure, here is an identity mapping summary as it
> relates to subject identities (the identity subject to access
> controls).
> When simple bind is used, the bind name is not only the
> authcId and authzId, but these directly to the authcDN and
> authzDN.  When SASL bind is used, the authcID and authzID
> are not only possible different, but each is mapped to
> produce the authcDN and authzDN.  When the proxy authorization
> control, a new authzId is provided by the client, which through
> mapping generates a new authzDN.  The real subject should be
> the authcDN, the effective subject is the authzDN.
> Kurt

Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497