[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL, slapd internal searches

To: <hyc@highlandsun.com>
Subject: Re: SASL, slapd internal searches
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Sat, 8 Mar 2003 10:45:36 +0100 (CET)
Cc: <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <01f301c2e553$07490f30$0e01a8c0@CELLO>
References: <01f301c2e553$07490f30$0e01a8c0@CELLO>

> A little while back I committed some changes to the sasl/saslauthz code
> to make sure that it enforced ACLs on all the internal searches it
> performs. I think some of these changes are wrong/unnecessary. Really,
> the point of an ACL is to control what an external user can see/touch.
> When slapd is performing a search to map an authID to a DN, I think this
> should be treated as a root-privileged operation, ignoring access
> controls. Aside from the DN itself, nothing about the entry is ever
> exposed to any external user. Comments?

I did not study your changes; however, I think you should ensure
that authz code does have the necessary auth permissions, such
that an administrator is given the possibility to control how
the auth/authz process takes place, and to inhibit some forms of
it by means of ACL.  I think this is the spirit of the auth
permission level.

Ando.

--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: SASL, slapd internal searches
  - From: Igor Brezac <igor@ipass.net>

References:
- SASL, slapd internal searches
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: SASL, slapd internal searches
Next by Date: Re: SASL, slapd internal searches
Index(es):
- Chronological
- Thread