[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxy authorization acl

To: Howard Chu <hyc@symas.com>
Subject: Re: proxy authorization acl
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 04 Dec 2004 18:27:13 -0800
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <41B26B8B.8080505@symas.com>
References: <41B26B8B.8080505@symas.com>

We already have a proxy authorization policy mechanism
in authz-regexp (sasl-regex), why do we need another?

Kurt

At 05:59 PM 12/4/2004, Howard Chu wrote:
>OK, it seems we need something like this:
> access to dn.subtree="ou=groups,o=foo"
>     by dn.base="cn=groupProxy" proxy
>
>which basically says that only the "cn=groupProxy" identity is allowed to use proxyAuthorization privileges on the target. In the absence of the proxy right, proxyAuthorization is ineffective. I think it's a bit problematic because anyone who has been using proxyAuthorization previously would now have to add "proxy" rights to all of their existing ACLs. But conceptually it matches the behavior of the other ACL rights (i.e., default denied, must be explicitly granted). Comments?
>
>-- 
> -- Howard Chu
> Chief Architect, Symas Corp.       Director, Highland Sun
> http://www.symas.com               http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: proxy authorization acl
  - From: Howard Chu <hyc@symas.com>

References:
- proxy authorization acl
  - From: Howard Chu <hyc@symas.com>

Prev by Date: proxy authorization acl
Next by Date: HEAD vs 2.2 load times
Index(es):
- Chronological
- Thread