Re: commit: ldap/servers/slapd/overlays dyngroup.c

[Howard Chu <hyc@symas.com>]

Pierangelo Masarati wrote:
> As I commented on ldapext@ietf.org on that draft, I think we should
> rather enhance that concept by providing granular access policies.  For
> example:
>
> a) absent dgIdentity: search with user's identity

Maintains backward compatibility, fine.

> b) empty dgIdentity: search anonymously

Fine.

> c) present dgIdentity: search with dgIdentity; but: if dgAuthz is
> present, check that user's identity complies with that policy (much like
> idassert-authzFrom, with 1.3.6.1.4.1.4203.666.2.7 OpenLDAP authz syntax.
>
> A dgPolicy flag could determine what behavior, in case of no compliance
> with policy, should be taken: either (a) or (b), or none.

dgAuthz seems like overkill. If the user has read/search privs on the group 
entry, that ought to be sufficient.

> I don't think the original Author was fine with my remarks, so we should
> just take our own path, and perhaps re-define dgIdentity, to clearly
> depart from that (broken, IMHO) draft.

Heh, that draft was broken in more ways than I could count.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/