[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxy authorization acl



We already have a proxy authorization policy mechanism
in authz-regexp (sasl-regex), why do we need another?

Kurt

At 05:59 PM 12/4/2004, Howard Chu wrote:
>OK, it seems we need something like this:
> access to dn.subtree="ou=groups,o=foo"
>     by dn.base="cn=groupProxy" proxy
>
>which basically says that only the "cn=groupProxy" identity is allowed to use proxyAuthorization privileges on the target. In the absence of the proxy right, proxyAuthorization is ineffective. I think it's a bit problematic because anyone who has been using proxyAuthorization previously would now have to add "proxy" rights to all of their existing ACLs. But conceptually it matches the behavior of the other ACL rights (i.e., default denied, must be explicitly granted). Comments?
>
>-- 
> -- Howard Chu
> Chief Architect, Symas Corp.       Director, Highland Sun
> http://www.symas.com               http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support