directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <>
Subject Re: [ApacheDS] Comments on Stored Procedure Implementation (was Re: [Roadmap]Apache Directory Server 2.0 Roadmap proposal)
Date Sat, 29 Sep 2007 09:38:00 GMT
Incidentally I just got a simple idea on how (in the implementation) one
principal can execute operations with the rights of another.  This may help
with both sp/triggers and implementing the authorization proxy control.  We
simply need to track the authorization principal with the LdapPrincipal.
The authorization principal is the one used by the Authz subsystem's access
control decision function (ACDF).  The authentication principal is then used
as the identity while running with the permissions of the authorization
principal.  Based on controls and stored procedure ownership the AuthZ
principal can be changed at any time and reverted back to the AuthN
principal by the server.

This would not be too hard to implement given the architecture of the server
and of the AuthZ service.


View raw message