[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthz{To|From}

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: saslAuthz{To|From}
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 20 Dec 2003 10:17:22 +0100
Cc: Kurt@OpenLDAP.org, openldap-devel@OpenLDAP.org
Organization: SysNet
References: <006401c3c642$6bca0a10$1801a8c0@CELLO>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Howard Chu wrote:

-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it]

The initial use of slap_parse_user() in parseProxyAuthz
was intended to allow clients to specify a realm in the
proxyAuthz control, but no mech was allowed.

When we decided to condition the possibility of a realm
in a used ID specification on the presence of a mech,
this was making user realm specification impossible in
proxyAuthz, so I added the "fake" "AUTHZ" mech to proxyAuthz
control simply as a means to allow the possibility of a mech.

parseProxyAuthz() desn't need to break the incoming authzID
except for these sanity checks.

Well... specifying the realm is irrelevant


I would agree in principle, but, as appeared in ITS#2871,
someone might want to use that field to map the incoming
ID from a regular auth with a mech that uses thr realm,
and use the same rule for proxyAuthz control.  If we allow
to specify the realm (but not the mech) we give more freedom
in writing sasl-regexp rules.  If we find out this freedom
is too much, or has side effects that adversely impact
security, then of course we need to limit it.  I'm open
to any solution that resolves ITS#2871 without affecting
security.


This raises another point, which is vaguely related to the problem of
authorizing use of controls in the first place. I think it would be useful to
restrict the proxyAuthz control based on the LDAP Operation. E.g., I may only
want to authorize someone to proxy as me for Add operations, and nothing
else. This is not quite the same as the ACLs, nor do we need to duplicate ACL
functionality here. But it's something to consider.


This sounds quite interesting.  A mech to do this could be
to add the operation to the incoming ID, so that the
sasl-regexp rule can take care of allowing/denying operations.

One thing that s*cks is that the auth ID uses "cn" for every
part; if we could use different attributes, or at least
option modifiers, to clearly mark different parts ... e.g.

uid=<user>[,cn;x-realm=<realm>][,cn;x-op=<op>][,cn;x-mech=<mech>],cn=auth

then sasl-regexp (or authid-rewrite* ) rules could be
implemented in a more efficient way, significantly when
only one "rdn" is required for mapping ...

Ando.


--
Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it

+----------------------------------------------------------------------------+
|                                                                            |
|                     Buon Natale e felice Anno Nuovo                        |
|                                                                            |
|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497   |
+----------------------------------------------------------------------------+

Follow-Ups:
- RE: saslAuthz{To|From}
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- RE: saslAuthz{To|From}
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: LDAP_DEPRECATED in OPENLDAP_REL_ENG_2_2
Next by Date: Re: saslAuthz{To|From}
Index(es):
- Chronological
- Thread