Pierangelo Masarati wrote:
As I commented on ldapext@ietf.org on that draft, I think we should rather enhance that concept by providing granular access policies. For example:
a) absent dgIdentity: search with user's identity
Maintains backward compatibility, fine.
b) empty dgIdentity: search anonymously
Fine.
c) present dgIdentity: search with dgIdentity; but: if dgAuthz is present, check that user's identity complies with that policy (much like idassert-authzFrom, with 1.3.6.1.4.1.4203.666.2.7 OpenLDAP authz syntax.
A dgPolicy flag could determine what behavior, in case of no compliance with policy, should be taken: either (a) or (b), or none.
dgAuthz seems like overkill. If the user has read/search privs on the group entry, that ought to be sufficient.
I don't think the original Author was fine with my remarks, so we should just take our own path, and perhaps re-define dgIdentity, to clearly depart from that (broken, IMHO) draft.
Heh, that draft was broken in more ways than I could count.