On Mon, Jun 16, 2008 at 02:45:43PM +0200, Hallvard B Furuseth wrote:
If non-anonymous access is needed, the slapd.access(5) manpage needs an update too. (Or instead, to avoid duplicating text.) Currently it just says:
Auth (=x) privileges are also required on the authzTo attribute of the authorizing identity and/or on the authzFrom attribute of the authorized identity.
but it doesn't mention to who needs that auth access.
It is the authenticated ID that needs access in both cases. On further thought I think it is correct that the access is checked without reference to whether that ID has access to entry and parent entries, as (particularly in the case of authzFrom) the authenticated ID may not have any direct access to the entry whose ID it is about to assume.
Thus, if principal A has authenticated and wishes to perform an operation using principal B's authorisation, the access required is:
A needs auth access to authzTo in its own entry if that attribute is involved in giving A permission to act for B.
A needs auth access to authzFrom in B's entry if that attribute is involved in giving A permission to act for B.
The rules are the same whether using a SASL authorization identity or using a ProxyAuth control on an LDAP operation.
Thus I think my original report was wrong. This is a documentation issue, not a bug.
Andrew