On Thu, Jul 27, 2023 at 10:32:08PM +1000, Sean Gallagher wrote: > My clients are very asymmetric. Each has a particular job to do, and a > particular set of operations to perform on the database. I was trying to > restrict access for each client, to just what was needed for it to perform > it's task. Then if one client is compromised, damage can be (more) > contained. > > As it stands, before a bind, all (IP) clients look the same (Apart from the > IP address) - and so all clients need "auth" access to all other clients > credentials. If any client is granted some pre-bind rights, all clients get > those same rights. One compromised client makes all clients vulnerable. This > is not necessary. slapd _knows_ the identity of each client, it's just a > matter of exposing it to the ACL rules. It's not even without precedent, the > sasl_ssf is exposed to the ACL rules before a bind, why not other properties > of the sasl state? > > Anyway, this is just a "nice to have" idea, the real-life effect this would > have on security is pretty minimal. It's just frustrating when I have to > weaken access controls to do things the "right" way..
For now, your best bet would be a dynacl module. Or you can implement your proposed functionality yourself and see if we can get it merged. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
