[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthz{To|From}

Howard Chu wrote:
-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it]

The initial use of slap_parse_user() in parseProxyAuthz
was intended to allow clients to specify a realm in the
proxyAuthz control, but no mech was allowed.

When we decided to condition the possibility of a realm
in a used ID specification on the presence of a mech,
this was making user realm specification impossible in
proxyAuthz, so I added the "fake" "AUTHZ" mech to proxyAuthz
control simply as a means to allow the possibility of a mech.

parseProxyAuthz() desn't need to break the incoming authzID
except for these sanity checks.

Well... specifying the realm is irrelevant

I would agree in principle, but, as appeared in ITS#2871, someone might want to use that field to map the incoming ID from a regular auth with a mech that uses thr realm, and use the same rule for proxyAuthz control. If we allow to specify the realm (but not the mech) we give more freedom in writing sasl-regexp rules. If we find out this freedom is too much, or has side effects that adversely impact security, then of course we need to limit it. I'm open to any solution that resolves ITS#2871 without affecting security.

This raises another point, which is vaguely related to the problem of authorizing use of controls in the first place. I think it would be useful to restrict the proxyAuthz control based on the LDAP Operation. E.g., I may only want to authorize someone to proxy as me for Add operations, and nothing else. This is not quite the same as the ACLs, nor do we need to duplicate ACL functionality here. But it's something to consider.

This sounds quite interesting. A mech to do this could be to add the operation to the incoming ID, so that the sasl-regexp rule can take care of allowing/denying operations.

One thing that s*cks is that the auth ID uses "cn" for every
part; if we could use different attributes, or at least
option modifiers, to clearly mark different parts ... e.g.


then sasl-regexp (or authid-rewrite* ) rules could be
implemented in a more efficient way, significantly when
only one "rdn" is required for mapping ...


-- Dr. Pierangelo Masarati mailto:pierangelo.masarati@sys-net.it LDAP Architect, SysNet s.n.c. http://www.sys-net.it
|                                                                            |
|                     Buon Natale e felice Anno Nuovo                        |
|                                                                            |
|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497   |