[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL, slapd internal searches

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: SASL, slapd internal searches
From: Igor Brezac <igor@ipass.net>
Date: Sat, 8 Mar 2003 11:25:20 -0500 (EST)
Cc: hyc@highlandsun.com, <openldap-devel@OpenLDAP.org>
In-reply-to: <1300.81.74.43.82.1047116736.squirrel@webmail.sys-net.it>

On Sat, 8 Mar 2003, Pierangelo Masarati wrote:

>
> > A little while back I committed some changes to the sasl/saslauthz code
> > to make sure that it enforced ACLs on all the internal searches it
> > performs. I think some of these changes are wrong/unnecessary. Really,
> > the point of an ACL is to control what an external user can see/touch.
> > When slapd is performing a search to map an authID to a DN, I think this
> > should be treated as a root-privileged operation, ignoring access
> > controls. Aside from the DN itself, nothing about the entry is ever
> > exposed to any external user. Comments?
>
> I did not study your changes; however, I think you should ensure
> that authz code does have the necessary auth permissions, such
> that an administrator is given the possibility to control how
> the auth/authz process takes place, and to inhibit some forms of
> it by means of ACL.  I think this is the spirit of the auth
> permission level.
>

It is important that ACLs be applied to the resulting DN of the internal
search.  However, saslauthz is more complicated than sasl-regex because
sasl-regex is setup by the administrator; on the other hand saslAuthz*
attribs are normally managed by users.  If a root-privileged operations
are allowed, saslAuthzTo can easily be abused.  I wonder if a special
saslAuthz acl can be implemented?

-- 
Igor

References:
- Re: SASL, slapd internal searches
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: SASL, slapd internal searches
Next by Date: Re: SASL, slapd internal searches
Index(es):
- Chronological
- Thread