[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: slapo-dynlist desgin question(s)
From: Howard Chu <hyc@symas.com>
Date: Tue, 06 Feb 2007 17:23:13 -0800
Cc: openldap-devel@openldap.org
In-reply-to: <45B52B2E.2000808@sys-net.it>
References: <3A8D9F01DE3A005FA31F6791@deus-ex.stanford.edu> <45A664E2.8010808@sys-net.it> <F9A1673CA8CD7096E6925C66@deus-ex.stanford.edu> <0E61081C9DB7BD9EC50B1E33@deus-ex.stanford.edu> <45A7E662.9030205@sys-net.it> <FECE567120008EC5090EA08F@deus-ex.stanford.edu> <45A8AE76.2080504@sys-net.it> <70800E25C7D1DBF3DD436E3B@deus-ex.stanford.edu> <45AD0CAF.2070601@sys-net.it> <25BD4CDCB38C86E908278F1D@dnab4232d4.stanford.edu> <45AD1DE1.2010602@sys-net.it> <032C2F1FD40B8E40F79D864F@SW-90-717-287-3.stanford.edu> <C51619827EAED135E7A163DC@SW-90-717-287-3.stanford.edu> <45AD41D4.9030802@sys-net.it> <45AD4BAE.40809@symas.com> <7B3A5C8C39DD5979379DD780@SW-90-717-287-3.stanford.edu> <45AF1AE5.1080809@sys-net.it> <6F94E6AFB3A7165E63E84488@deus-ex.stanford.edu> <45B230A8.1030803@sys-net.it> <BB3B02ED2DF66F04DCB4C5CA@SW-90-717-287-3.stanford.edu> <45B52B2E.2000808@sys-net.it>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060911 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Pierangelo Masarati wrote:

Quanah Gibson-Mount wrote:

--On Saturday, January 20, 2007 4:09 PM +0100 Pierangelo Masarati

Or, we could define /configurable) dynamic group specific attrs that
implement the dynamic group's identity (groupManager?) and authorization
rules (groupAuthzFrom?; groupAuthzTo would make sense as well; it could
be used to check if a dynamic group is allowed to let a user assume the
privileged identity when accessing a certain datum, the "to" of
groupAuthzTo).


I guess my issue here, is that I want the proxy ID to not be associated
with the client's ID at all.  I simply want a way to have the dynamic
group to use the ACL's to decide whether or not the client has read or
compare to the membership list, and if it does, then to use an internal
identity that knows nothing about the client itself to do the compare or
membership generation as necessary.  So I guess the second solution
would work best in that case?


Well, mine was basically a suggestion to make things more finely
tunable; of course, a safe default would be, for example, if no dynamic
group exploitation authorization were defined, to allow users to use the
dynlist and to deny anonymous.  The latter could be enabled by setting
groupAuthzFrom to "*" (shortcut for "dn.regex:.*").

So, in the end you would have what you need, while the feature could be
restricted as needed.


Funny how we hashed out the same things as this draft
http://www.ietf.org/internet-drafts/draft-haripriya-dynamicgroup-02.txt

I wish we had better communication sometimes; I never saw any talk of this on the ldapext mailing list nor any announcement of the draft being available.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

Prev by Date: Re: (ITS#4832) Segmentation fault with test049-sync-config
Next by Date: Re: syncrepl
Index(es):
- Chronological
- Thread