[Date Prev][Date Next] [Chronological] [Thread] [Top]

proxy comments



Rob, a few comments:

First, I like to note that one of the intended application of
my grouping I-D is proxing.  We should discuss the pros and cons
of this approach... likely best over a beer.  

Abstract: "The Proxied Authorization Control allows a connection with
sufficient privileges to assume the identity of another entry for the
duration of an LDAP request."

"duration of an LDAP request" ?  duration is a poor choice of words
as it implies the control may affect unrelated operations.
"of another entry" ? this assumes that the identity refers to an
entry.  An authorization identity does have to refer to an entry
(let alone be a DN).

2. Publishing support for the Proxied Authorization Control

s/supportedExtensions/supportedControl/

3. Proxied Authorization Control
   This control may be included in any bind, unbind, search, compare,
   abandon, modify, delete, or modrdn request message as part of the
   controls field of the LDAPMessage, as defined in [1].

This control should be disallowed on bind as the session is
returned to anonymous upon receipt of request and anonymous
should not be allowed to assert an authorization identity
for the control.   Also, the control should have no impact
upon the session as a whole and hence should be disallowed on
any operation which has direct impact upon the session.  If
provided with bind and marked critical,
unsupportedCriticalExtension should be returned. 

The control, IMO, should be inappropriate to provided with
abandon and unbind.  The control should be allowed with
extended operations, excepting those which affect the
session as a whole (such as startTLS).

The syntax of controlType should be LDAPOID and it should have
the value of the OID.

I suggest you make specific mention that servers recognizing
this control MUST return an error if the control is not marked
as being critical.

   The controlValue contains the BER encoding of a DN used for
   evaluating the requested rights:

Suggest (needs work):  The control value is a BER encoded
proxyAuthValue which contains the DN representing the authorization
identity who's rights are requests.

Note again authorized DN vs authzId issue.

4. Permission to execute as proxy

"This means that fewer results, or no results, may be returned"
I assume you meant fewer entry and references responses, not
results.  That is, the search should still have one result
response.

5. Security Considerations

A more detailed security analysis may be appropriate.