[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

To: Howard Chu <hyc@symas.com>
Subject: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sun, 03 Apr 2005 01:24:44 +0200
Cc: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, openldap-devel@OpenLDAP.org
In-reply-to: <424F28EC.7050001@symas.com>
References: <200504020834.j328Y8WM008484@boole.openldap.org> <424E9AE0.2090203@sys-net.it> <6.2.1.2.0.20050402080426.072eef80@mail.openldap.org> <424ECED5.6010309@sys-net.it> <6.2.1.2.0.20050402090705.0278b3b8@mail.openldap.org> <424F14B9.9050306@symas.com> <424F1949.60301@sys-net.it> <424F28EC.7050001@symas.com>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Howard Chu wrote:

For the realdn, I'm currently assuming that the only place where identity may change is inside parseProxyAuthz(); I added a o_realndn field to the operation structure; this field is supposed to be BER_BVNULL unless proxyAuthz occurred; if it is NULL, the "realdn" clause, if present, is evaluated using the o_ndn field; if it is not null, it behaves as expected. Maybe, in case of SASL bind, we could store in o_ndn the constructed DN before authz via authz-regexp rules.
Does this really belong in op->o_realndn? Perhaps we should have it back in conn->c_dn.


You mean: directly use conn->c_dn instead of copying it in op->o_realndn?

As for storing the DN prior to authz-regexp, I'm inclined to disagree. The result of regexp mapping is still an authcDN, not an authzDN, and I'm not convinced that we need to refer back to the SASLDN after mapping has been done.

right.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>

References:
- More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Next by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Index(es):
- Chronological
- Thread