[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: commit: ldap/servers/slapd/overlays dyngroup.c
Howard Chu wrote:
>> A dgPolicy flag could determine what behavior, in case of no compliance
>> with policy, should be taken: either (a) or (b), or none.
>
> dgAuthz seems like overkill. If the user has read/search privs on the
> group entry, that ought to be sufficient.
I disagree: by running an internal operation with dgIdentity, and
returning the results of that operation, you'd break the security model
of OpenLDAP. In fact, a dynamic group can unveal data that would
otherwise be inaccessible to a user. In fact, only running the search
with the user's identity guarantees the security model is not broken,
but dgAuthz, at least, gives some granularity. This doesn't break
either backwards compatibility nor draft-haripriya-dynamicgroup: those
who want to stick with it only have to ignore dgAuthz.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------