Howard Chu wrote:
A dgPolicy flag could determine what behavior, in case of no compliance
with policy, should be taken: either (a) or (b), or none.
dgAuthz seems like overkill. If the user has read/search privs on the
group entry, that ought to be sufficient.
I disagree: by running an internal operation with dgIdentity, and
returning the results of that operation, you'd break the security model
of OpenLDAP. In fact, a dynamic group can unveal data that would
otherwise be inaccessible to a user. In fact, only running the search
with the user's identity guarantees the security model is not broken,
but dgAuthz, at least, gives some granularity. This doesn't break
either backwards compatibility nor draft-haripriya-dynamicgroup: those
who want to stick with it only have to ignore dgAuthz.