upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-29 02:59:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#4897 source/destination confusion

Browse source
This commit is contained in:
Howard Chu 2007-04-05 01:20:42 +00:00
parent b671fa0f10
commit c3998fb210
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
doc/guide/admin/sasl.sdf
View file

@ -679,14 +679,14 @@ should be allowed to perform the proxy authorization.
By default, processing of proxy authorization rules is disabled.
The {{EX:authz-policy}} directive must be set in the
{{slapd.conf}}(5) file to enable authorization. This directive can
be set to {{EX:none}} for no rules (the default), {{EX:from}} for
source rules, {{EX:to}} for destination rules, or {{EX:both}} for
be set to {{EX:none}} for no rules (the default), {{EX:to}} for
source rules, {{EX:from}} for destination rules, or {{EX:both}} for
both source and destination rules.
Destination rules are extremely powerful. If ordinary users have
Source rules are extremely powerful. If ordinary users have
access to write the {{EX:authzTo}} attribute in their own
entries, then they can write rules that would allow them to authorize
as anyone else. As such, when using destination rules, the
as anyone else. As such, when using source rules, the
{{EX:authzTo}} attribute should be protected with an ACL that
only allows privileged users to set its values.