At this time, 389-ds is not correctly in conformance to rfc 4511. Due to the behaviour of the proxy aci, it current operates as:
"Given some target user, allow proxy to any DN over some subtree X".
The issue with this, is that until we are ready to get the results, we cannot send back LDAP_X_PROXY_AUTHZ_FAILURE, and by then we cannot distinguish between a failure to proxy, or a failure for the DN to access the subtree itself.
We should add a new aci type which better expresses the proxy control, and is closer to the rfc.
The new right would be called "authz" rather than proxy. We will need to support both for some time.
The new right would express permissions:
"Given some target (userdn, groupdn), allow proxy to the dn's matched by the target*"
This allows correct setting of LDAP_X_PROXY_AUTHZ_FAILURE early in execution, and would act as a true proxy for object to target. After the proxy right is evaluated and set, then the aci's of the target dn ONLY would need to be checked, rather than the complex double-check we have with the proxy right at this time.
This supercedes and replaces #48367
Metadata Update from @firstyear: - Issue set to the milestone: 1.3.6 backlog
Metadata Update from @firstyear: - Issue close_status updated to: None - Issue set to the milestone: FUTURE (was: 1.3.6 backlog)
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to None - Issue tagged with: RFE
Metadata Update from @mreynolds: - Issue tagged with: Access Control
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1907
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.