(Please get the citation correctly wrapped so I don't have to re-edit it.) Ulrich Windl wrote: >>>> Michael Ströder <michael@stroeder.com> schrieb: >> Ulrich Windl wrote: >>> Multiple DNs can be members of a group/rolem, and you can use group >>> names when assigning ACLs. To authenticate, a user will use his DN and >>> own password. >>> Now when a DN is member of multiple roles/groups, authenticating as >>> member assignes all the rights each group/role has. >> >> It depends. Note that order of the ACLs and <who> clause within ACLs is >> significant. > > But you use the role name for <who>, right? In simple and most cases, yes. But it does not mean that the roles are all effective at the *same* time. You can influence the control flow of the ACLs and stop before ACLs or skip ACLs. >> If you're still feeling hungry for more intellectual input you can dive >> into various RBAC approaches presented at LDAPcon 2011 and 2013. > > Any paper or URI for that? https://www.google.de/search?q=ldapcon+rbac >> But IMO there's not much point in doing so because if the user's >> credentials are intercepted the attacker can gain access to any role. > > Correct. At least the system should enforce that the user has to re-authenticate before changing the role. Using OTP mech this would be acceptable. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature