[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Sun, 3 Apr 2005 22:59:55 +0200 (CEST)
Cc: "Howard Chu" <hyc@symas.com>, openldap-devel@OpenLDAP.org
Importance: Normal
In-reply-to: <6.2.1.2.0.20050403103607.08fb1c80@mail.openldap.org>
References: <200504020834.j328Y8WM008484@boole.openldap.org> <424E9AE0.2090203@sys-net.it> <6.2.1.2.0.20050402080426.072eef80@mail.openldap.org> <424ECED5.6010309@sys-net.it> <6.2.1.2.0.20050402090705.0278b3b8@mail.openldap.org> <424F14B9.9050306@symas.com> <424F1949.60301@sys-net.it> <424F28EC.7050001@symas.com> <424F29BC.3070803@sys-net.it> <424F3B3C.1010703@symas.com> <6.2.1.2.0.20050402181741.066d0b08@mail.openldap.org> <424F907B.7010609@sys-net.it> <6.2.1.2.0.20050403103607.08fb1c80@mail.openldap.org>
User-agent: SquirrelMail/1.4.3a-1

> I suspect we're all agreeing.  I think your code is fine and
> appears safe to commit.

OK, the patch is committed, accounting for Howard's comments, and Howard
committed a fix to SASL bind that should keep the authcDN and the authzDN
separate and accessed accordingly for "realdn" vs. "dn" ACL evaluation.  I
say "should" because I couldn't put my hands on the code yet, but I'm
positive the feature is now working as intended.  I'll add some tests to
test006.

Ciao, p.

>
> Just to be sure, here is an identity mapping summary as it
> relates to subject identities (the identity subject to access
> controls).
>
> When simple bind is used, the bind name is not only the
> authcId and authzId, but these directly to the authcDN and
> authzDN.  When SASL bind is used, the authcID and authzID
> are not only possible different, but each is mapped to
> produce the authcDN and authzDN.  When the proxy authorization
> control, a new authzId is provided by the client, which through
> mapping generates a new authzDN.  The real subject should be
> the authcDN, the effective subject is the authzDN.
>
> Kurt
>
>
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Next by Date: SPML in JLDAP
Index(es):
- Chronological
- Thread