>>> Michael Ströder <[email protected]> schrieb am 09.12.2014 um 15:47 in Nachricht <[email protected]>: > Ulrich Windl wrote: >> I have a question: You can define roles for authentication this way: > > You probably are talking about authorization, not authentication.
OK! > >> Multiple DNs can be members of a group/rolem, and you can use group names > when assigning ACLs. >> To authenticate, a user will use his DN and own password. >> >> Now when a DN is member of multiple roles/groups, authenticating as member > assignes all the rights each group/role has. > > It depends. Note that order of the ACLs and <who> clause within ACLs is > significant. But you use the role name for <who>, right? > >> The idea of a role however is that a user "changes hats", depending on the > task he is doing. >> >> I wonder: Is it possibe to authenticate with a group/role's DN and the > user's (a memeber) password? >> >> Or is there some other mechanism to accieve what I want? > > You could allow a single authenticated user to define a certain authz > identity. You should make yourself familiar with SASL authz-ID, proxy authz > and authzTo/authzFrom attributes. > > If you're still feeling hungry for more intellectual input you can dive into > various RBAC approaches presented at LDAPcon 2011 and 2013. Any paper or URI for that? > > But IMO there's not much point in doing so because if the user's credentials > are intercepted the attacker can gain access to any role. Correct. > > Ciao, Michael. Thank you for answering! Regards, Ulrich
