[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)



At 04:39 PM 4/2/2005, Howard Chu wrote:
>The patch looks good, but now I see that I was overlooking something. We don't preserve the authcDN if someone does a SASL Bind with proxy authorization. In that case we actually need to store both an authcDN and an authzDN in the Connection structure, if we really want to handle that case. Otherwise, what we have now should work for the proxyAuth control, which is good. 

Right.  Note that with SASL proxying and LDAP proxying, one
can multiple levels of proxying.   But, for simplicity,
we just need to know what the real (authcDN) is and the
effective (authzDN) is.  The intermediate identities
don't need to be subjects in the access control policy.

Kurt