389-ds-base

Clone
Source Code
GIT

#48847 RFC 4511: Proxy authz aci type
Closed: wontfix 3 years ago by spichugi. Opened 7 years ago by firstyear.

Closed: wontfix
Reopen Issue

At this time, 389-ds is not correctly in conformance to rfc 4511. Due to the behaviour of the proxy aci, it current operates as:

"Given some target user, allow proxy to any DN over some subtree X".

The issue with this, is that until we are ready to get the results, we cannot send back LDAP_X_PROXY_AUTHZ_FAILURE, and by then we cannot distinguish between a failure to proxy, or a failure for the DN to access the subtree itself.

We should add a new aci type which better expresses the proxy control, and is closer to the rfc.

The new right would be called "authz" rather than proxy. We will need to support both for some time.

The new right would express permissions:

"Given some target (userdn, groupdn), allow proxy to the dn's matched by the target*"

This allows correct setting of LDAP_X_PROXY_AUTHZ_FAILURE early in execution, and would act as a true proxy for object to target. After the proxy right is evaluated and set, then the aci's of the target dn ONLY would need to be checked, rather than the complex double-check we have with the proxy right at this time.

This supercedes and replaces #48367

Metadata Update from @firstyear:
- Issue set to the milestone: 1.3.6 backlog
7 years ago

Metadata Update from @firstyear:
- Issue close_status updated to: None
- Issue set to the milestone: FUTURE (was: 1.3.6 backlog)
6 years ago

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to None
- Issue tagged with: RFE
3 years ago

Metadata Update from @mreynolds:
- Issue tagged with: Access Control
3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1907

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None

RFE Access Control

None
None
major
None
None
Community
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.