I'd like to propose a new feature to substantially strengthen the
existing access controls in slapd. This follows on from comments made in
the discussion around Issue 10065. In particular Comment 17 and Comment 19.
The objective here is to validate the credentials supplied by external
security mechanisms BEFORE the main server loop starts, and terminate
the connection if the client is not "known".
It was noted that the olcAuthzRegexp configuration option already deals
with externally supplied Authentication ID. My idea is to build on that.
I propose a new flag for "olcDisallows" that is "unmatched_external_authid".
Setting this flag would instruct slapd to drop the connection if the
externally supplied authid did not match any of the olcAuthzRegexp rules.
Currently the olcAuthzRegexp rules are only applied after a command
arrives. My proposal does not change that, instead I propose that
olcAuthzRegexp be evaluated at "connection time" as well as at
"execution time". This would reduce the chance of any unexpected side
effects.
The only real issue I can think of is - is it possible for
olcAuthzRegexp to match an AuthID without changing it. Is there any
recursion in the application of these rules?
Any thoughts?
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
