[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/overlays dyngroup.c



Pierangelo Masarati wrote:
As I commented on ldapext@ietf.org on that draft, I think we should
rather enhance that concept by providing granular access policies.  For
example:

a) absent dgIdentity: search with user's identity

Maintains backward compatibility, fine.

b) empty dgIdentity: search anonymously

Fine.

c) present dgIdentity: search with dgIdentity; but: if dgAuthz is
present, check that user's identity complies with that policy (much like
idassert-authzFrom, with 1.3.6.1.4.1.4203.666.2.7 OpenLDAP authz syntax.
>
> A dgPolicy flag could determine what behavior, in case of no compliance
> with policy, should be taken: either (a) or (b), or none.

dgAuthz seems like overkill. If the user has read/search privs on the group entry, that ought to be sufficient.

I don't think the original Author was fine with my remarks, so we should
just take our own path, and perhaps re-define dgIdentity, to clearly
depart from that (broken, IMHO) draft.

Heh, that draft was broken in more ways than I could count. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/