Re: slapo-dynlist desgin question(s)

[Howard Chu <hyc@symas.com>]

Quanah Gibson-Mount wrote:
> --On Saturday, January 13, 2007 1:47 PM -0800 Howard Chu <hyc@symas.com> 
> wrote:
>
>
> > You seem to be under the impression that changing the name of a piece of
> > data changes the nature of the data. If you have an attribute that
> > general users should not be able to see, then they also should not be
> > able to see the dynamic group derived from that attribute. Opening it up
> > in any way is only going to open you to the same liability you claim to
> > want to avoid.
>
> Please explain to me how they would see dynamic groups I haven't given 
> them access to via acl control.

Please explain how those dynamic groups have any relevance to them if they 
are not members of the group.

You asked for the ability to use rootdn privileges to evaluate the membership 
of a dynamic group because the user on whose behalf you are evaluating may 
not have access to evaluate the membership.

This makes no sense. If the user doesn't have access to evaluate the 
membership, then clearly the user doesn't have the values that determine 
membership in the group - thus the user is not a member, so the actual 
membership of that group is a moot point.

> I don't in any way intend to let people see groups they don't have 
> access to *but* if I have to use the user credentials to create groups, 
> that's essentially the position I'm forced into unless I want to make 
> thousands and thousands of ACL's like:

The only reason to use root privilege to evaluate the group membership is to 
make the member list visible where it otherwise would not be. If you're 
claiming that the member list is sensitive information, and should not be 
visible to non-members, then all this does is break your security.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/