[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/overlays dyngroup.c

Howard Chu wrote:

>> A dgPolicy flag could determine what behavior, in case of no compliance
>> with policy, should be taken: either (a) or (b), or none.
> dgAuthz seems like overkill. If the user has read/search privs on the
> group entry, that ought to be sufficient.

I disagree: by running an internal operation with dgIdentity, and
returning the results of that operation, you'd break the security model
of OpenLDAP.  In fact, a dynamic group can unveal data that would
otherwise be inaccessible to a user.  In fact, only running the search
with the user's identity guarantees the security model is not broken,
but dgAuthz, at least, gives some granularity.  This doesn't break
either backwards compatibility nor draft-haripriya-dynamicgroup: those
who want to stick with it only have to ignore dgAuthz.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it