[higgins-dev] A couple of largely unacceptable methods for solving Bug #

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[higgins-dev] A couple of largely unacceptable methods for solving Bug #211945

From: "Tom Doman" <tdoman@xxxxxxxxxx>
Date: Mon, 14 Jan 2008 17:49:11 -0700
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

Okay, well, at least they are to me.

Okay, this defect report describes how, when the SelfIssuedMaterials authentication method is used, the JNDI Context Provider remains authenticated as what we've come to call, the Least Privileged User (LPU) configured in the JNDI CP configuration file. Any subsequent calls to IdAS will be done using the authorization rights of the LPU.

There are a couple of ways to fix this:

1. Some LDAP servers implement RFC 4370, Proxied Authorization Control. This control would allow the LPU to perform operations as the identity discovered using SelfIssuedMaterials. Exactly what we want! Unfortunately, there are several issues with this solution:

a. This is not a general JNDI ...
b. Not every LDAPv3 server implements RFC 4370.
c. Each LDAP server which implements RFC 4370 defines its own policy for proxy authorization access rights.
d. None of this helps any other Context Provider.

2. Define an access control abstraction in IdAS (Bug #197373). This might be advantageous in that it'd be the same interface for every Context Provider to implement but there are some potential issues:

a. Any given Context Provider may not be able to fully implement the access control abstraction.
b. It may become a large burden to keep track of this information for each CP, potentially, outside of its native store.

Even if I implemented #1, we'd still have to describe and explain how the LPU works for those directory servers that don't implement 4370. Then we'd have to describe what limitations an LPU puts on the kinds of applications and data that one may want to front with IdAS. So, what LDAP servers are people on this mailing list using? Do you know if they support RFC 4370?

I fear #2 will be a huge undertaking (though, as I included above, Jim has entered a defect for it) with limited functionality but I'd like to discuss if, when, and how if the general consensus is that that is how we should solve this defect.

Thanks,
Tom

Follow-Ups:
- Re: [higgins-dev] A couple of largely unacceptable methods for solvingBug #211945
  - From: Jim Sermersheim

Prev by Date: RE: [higgins-dev] Data Model: Many same-typed attributes?
Next by Date: RE: [higgins-dev] Data Model: Many same-typed attributes?
Previous by thread: [higgins-dev] Data Model: Allow zero-valued attributes?
Next by thread: Re: [higgins-dev] A couple of largely unacceptable methods for solvingBug #211945
Index(es):
- Date
- Thread

Breadcrumbs