Ondřej Kuzník wrote: > On Thu, Jul 27, 2023 at 10:32:08PM +1000, Sean Gallagher wrote: >> My clients are very asymmetric. Each has a particular job to do, and a >> particular set of operations to perform on the database. I was trying to >> restrict access for each client, to just what was needed for it to perform >> it's task. Then if one client is compromised, damage can be (more) >> contained. >> >> As it stands, before a bind, all (IP) clients look the same (Apart from the >> IP address) - and so all clients need "auth" access to all other clients >> credentials. If any client is granted some pre-bind rights, all clients get >> those same rights. One compromised client makes all clients vulnerable. This >> is not necessary. slapd _knows_ the identity of each client, it's just a >> matter of exposing it to the ACL rules. It's not even without precedent, the >> sasl_ssf is exposed to the ACL rules before a bind, why not other properties >> of the sasl state? >> >> Anyway, this is just a "nice to have" idea, the real-life effect this would >> have on security is pretty minimal. It's just frustrating when I have to >> weaken access controls to do things the "right" way.. > > For now, your best bet would be a dynacl module. Or you can implement > your proposed functionality yourself and see if we can get it merged.
No. This is fallacious. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
