Re: slapo-dynlist desgin question(s)

Quanah Gibson-Mount wrote: > > --On Saturday, January 20, 2007 4:09 PM +0100 Pierangelo Masarati >> Or, we could define /configurable) dynamic group specific attrs that >> implement the dynamic group's identity (groupManager?) and authorization >> rules (groupAuthzFrom?; groupAuthzTo would make sense as well; it could >> be used to check if a dynamic group is allowed to let a user assume the >> privileged identity when accessing a certain datum, the "to" of >> groupAuthzTo). > > I guess my issue here, is that I want the proxy ID to not be associated > with the client's ID at all. I simply want a way to have the dynamic > group to use the ACL's to decide whether or not the client has read or > compare to the membership list, and if it does, then to use an internal > identity that knows nothing about the client itself to do the compare or > membership generation as necessary. So I guess the second solution > would work best in that case? Well, mine was basically a suggestion to make things more finely tunable; of course, a safe default would be, for example, if no dynamic group exploitation authorization were defined, to allow users to use the dynlist and to deny anonymous. The latter could be enabled by setting groupAuthzFrom to "*" (shortcut for "dn.regex:.*"). So, in the end you would have what you need, while the feature could be restricted as needed.