Antw: Re: Q: roles for authentication

["Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>]

>>> Michael Ströder <michael@stroeder.com> schrieb am 09.12.2014 um 15:47 in
Nachricht <54870B9E.2080306@stroeder.com>:
> Ulrich Windl wrote:
>> I have a question: You can define roles for authentication this way:
> 
> You probably are talking about authorization, not authentication.

OK!

> 
>> Multiple DNs can be members of a group/rolem, and you can use group names 
> when assigning ACLs.
>> To authenticate, a user will use his DN and own password.
>> 
>> Now when a DN is member of multiple roles/groups, authenticating as member

> assignes all the rights each group/role has.
> 
> It depends. Note that order of the ACLs and <who> clause within ACLs is
> significant.

But you use the role name for <who>, right?

> 
>> The idea of a role however is that a user "changes hats", depending on the

> task he is doing.
>> 
>> I wonder: Is it possibe to authenticate with a group/role's DN and the 
> user's (a memeber) password?
>> 
>> Or is there some other mechanism to accieve what I want?
> 
> You could allow a single authenticated user to define a certain authz
> identity. You should make yourself familiar with SASL authz-ID, proxy authz
> and authzTo/authzFrom attributes.
> 
> If you're still feeling hungry for more intellectual input you can dive
into
> various RBAC approaches presented at LDAPcon 2011 and 2013.

Any paper or URI for that?

> 
> But IMO there's not much point in doing so because if the user's
credentials
> are intercepted the attacker can gain access to any role.

Correct.

> 
> Ciao, Michael.

Thank you for answering!

Regards,
Ulrich