Michael Ströder michael@stroeder.com schrieb am 09.12.2014 um 15:47 in
Nachricht 54870B9E.2080306@stroeder.com:
Ulrich Windl wrote:
I have a question: You can define roles for authentication this way:
You probably are talking about authorization, not authentication.
OK!
Multiple DNs can be members of a group/rolem, and you can use group names
when assigning ACLs.
To authenticate, a user will use his DN and own password.
Now when a DN is member of multiple roles/groups, authenticating as member
assignes all the rights each group/role has.
It depends. Note that order of the ACLs and <who> clause within ACLs is significant.
But you use the role name for <who>, right?
The idea of a role however is that a user "changes hats", depending on the
task he is doing.
I wonder: Is it possibe to authenticate with a group/role's DN and the
user's (a memeber) password?
Or is there some other mechanism to accieve what I want?
You could allow a single authenticated user to define a certain authz identity. You should make yourself familiar with SASL authz-ID, proxy authz and authzTo/authzFrom attributes.
If you're still feeling hungry for more intellectual input you can dive
into
various RBAC approaches presented at LDAPcon 2011 and 2013.
Any paper or URI for that?
But IMO there's not much point in doing so because if the user's
credentials
are intercepted the attacker can gain access to any role.
Correct.
Ciao, Michael.
Thank you for answering!
Regards, Ulrich