[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
proxy authorization acl
- To: openldap-devel@OpenLDAP.org
- Subject: proxy authorization acl
- From: Howard Chu <hyc@symas.com>
- Date: Sat, 04 Dec 2004 17:59:39 -0800
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041101
OK, it seems we need something like this:
access to dn.subtree="ou=groups,o=foo"
by dn.base="cn=groupProxy" proxy
which basically says that only the "cn=groupProxy" identity is allowed
to use proxyAuthorization privileges on the target. In the absence of
the proxy right, proxyAuthorization is ineffective. I think it's a bit
problematic because anyone who has been using proxyAuthorization
previously would now have to add "proxy" rights to all of their existing
ACLs. But conceptually it matches the behavior of the other ACL rights
(i.e., default denied, must be explicitly granted). Comments?
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support