Howard Chu wrote:
A dgPolicy flag could determine what behavior, in case of no compliance with policy, should be taken: either (a) or (b), or none.
dgAuthz seems like overkill. If the user has read/search privs on the group entry, that ought to be sufficient.
I disagree: by running an internal operation with dgIdentity, and returning the results of that operation, you'd break the security model of OpenLDAP. In fact, a dynamic group can unveal data that would otherwise be inaccessible to a user. In fact, only running the search with the user's identity guarantees the security model is not broken, but dgAuthz, at least, gives some granularity. This doesn't break either backwards compatibility nor draft-haripriya-dynamicgroup: those who want to stick with it only have to ignore dgAuthz.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------