Pierangelo Masarati wrote:
As I commented on ldapext(a)ietf.org on that draft, I think we should
rather enhance that concept by providing granular access policies. For
a) absent dgIdentity: search with user's identity
Maintains backward compatibility, fine.
b) empty dgIdentity: search anonymously
c) present dgIdentity: search with dgIdentity; but: if dgAuthz is
present, check that user's identity complies with that policy (much like
idassert-authzFrom, with 220.127.116.11.4.1.4203.666.2.7 OpenLDAP authz syntax.
A dgPolicy flag could determine what behavior, in case of no compliance
with policy, should be taken: either (a) or (b), or none.
dgAuthz seems like overkill. If the user has read/search privs on the group
entry, that ought to be sufficient.
I don't think the original Author was fine with my remarks, so we
just take our own path, and perhaps re-define dgIdentity, to clearly
depart from that (broken, IMHO) draft.
Heh, that draft was broken in more ways than I could count.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/