(Please get the citation correctly wrapped so I don't have to re-edit it.)
Ulrich Windl wrote:
Michael Ströder michael@stroeder.com schrieb:
Ulrich Windl wrote:
Multiple DNs can be members of a group/rolem, and you can use group names when assigning ACLs. To authenticate, a user will use his DN and own password. Now when a DN is member of multiple roles/groups, authenticating as member assignes all the rights each group/role has.
It depends. Note that order of the ACLs and <who> clause within ACLs is significant.
But you use the role name for <who>, right?
In simple and most cases, yes.
But it does not mean that the roles are all effective at the *same* time. You can influence the control flow of the ACLs and stop before ACLs or skip ACLs.
If you're still feeling hungry for more intellectual input you can dive into various RBAC approaches presented at LDAPcon 2011 and 2013.
Any paper or URI for that?
https://www.google.de/search?q=ldapcon+rbac
But IMO there's not much point in doing so because if the user's credentials are intercepted the attacker can gain access to any role.
Correct.
At least the system should enforce that the user has to re-authenticate before changing the role. Using OTP mech this would be acceptable.
Ciao, Michael.