[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Antw: Re: Q: roles for authentication
>>> Michael Ströder <michael@stroeder.com> schrieb am 09.12.2014 um 15:47 in
Nachricht <54870B9E.2080306@stroeder.com>:
> Ulrich Windl wrote:
>> I have a question: You can define roles for authentication this way:
>
> You probably are talking about authorization, not authentication.
OK!
>
>> Multiple DNs can be members of a group/rolem, and you can use group names
> when assigning ACLs.
>> To authenticate, a user will use his DN and own password.
>>
>> Now when a DN is member of multiple roles/groups, authenticating as member
> assignes all the rights each group/role has.
>
> It depends. Note that order of the ACLs and <who> clause within ACLs is
> significant.
But you use the role name for <who>, right?
>
>> The idea of a role however is that a user "changes hats", depending on the
> task he is doing.
>>
>> I wonder: Is it possibe to authenticate with a group/role's DN and the
> user's (a memeber) password?
>>
>> Or is there some other mechanism to accieve what I want?
>
> You could allow a single authenticated user to define a certain authz
> identity. You should make yourself familiar with SASL authz-ID, proxy authz
> and authzTo/authzFrom attributes.
>
> If you're still feeling hungry for more intellectual input you can dive
into
> various RBAC approaches presented at LDAPcon 2011 and 2013.
Any paper or URI for that?
>
> But IMO there's not much point in doing so because if the user's
credentials
> are intercepted the attacker can gain access to any role.
Correct.
>
> Ciao, Michael.
Thank you for answering!
Regards,
Ulrich