[Date Prev][Date Next] [Chronological] [Thread] [Top]

proxyAuthz propagation in back-ldap

To: <openldap-devel@OpenLDAP.org>
Subject: proxyAuthz propagation in back-ldap
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 10 Dec 2003 21:12:01 +0100 (CET)
Importance: Normal

I'm concerned about using the "binddn" identity
for proxy authz propagation using back-ldap.
The "binddn" (although the name now appears a bit
obscure and mileaing) is essentilly intended to
bypass ACLs on the remote server for proxy internal
ops.  I'm considering the possibility of using
different identity for prozy authz.  This because
the presence of its dedicated administrative dn
would be used to enable the feature, and this
should be clearly separated from the need to define
the "binddn"; moreover, I expect that such user
should have very specific privileges, generally
different from those of the binddn:

binddn:
    - auth permission
    - essentially read access to *

proxyauthzdn:
    - auth permission
    - read access to its own entry's saslAuthzTo
      attribute, or
    - read access to others' saslAuthzFrom attribute,
      for fine grain authz policy

Comments?

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: proxyAuthz propagation in back-ldap
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ITS#2494, ldap_sort_entries
Next by Date: Re: proxyAuthz propagation in back-ldap
Index(es):
- Chronological
- Thread