[Date Prev][Date Next] [Chronological] [Thread] [Top]

proxy authorization acl

To: openldap-devel@OpenLDAP.org
Subject: proxy authorization acl
From: Howard Chu <hyc@symas.com>
Date: Sat, 04 Dec 2004 17:59:39 -0800
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041101

OK, it seems we need something like this:
 access to dn.subtree="ou=groups,o=foo"
     by dn.base="cn=groupProxy" proxy

which basically says that only the "cn=groupProxy" identity is allowed to use proxyAuthorization privileges on the target. In the absence of the proxy right, proxyAuthorization is ineffective. I think it's a bit problematic because anyone who has been using proxyAuthorization previously would now have to add "proxy" rights to all of their existing ACLs. But conceptually it matches the behavior of the other ACL rights (i.e., default denied, must be explicitly granted). Comments?

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: proxy authorization acl
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: How the backend knows it's being searched by syncprov?
Next by Date: Re: proxy authorization acl
Index(es):
- Chronological
- Thread