From: Howard Chu Date: Thu, 5 Apr 2007 01:20:42 +0000 (+0000) Subject: ITS#4897 source/destination confusion X-Git-Tag: OPENLDAP_REL_ENG_2_4_MP~550 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=c3998fb2101d63df1aef446c44858cea72e915a1;p=openldap ITS#4897 source/destination confusion --- diff --git a/doc/guide/admin/sasl.sdf b/doc/guide/admin/sasl.sdf index a67298e11a..9651a0bcfc 100644 --- a/doc/guide/admin/sasl.sdf +++ b/doc/guide/admin/sasl.sdf @@ -679,14 +679,14 @@ should be allowed to perform the proxy authorization. By default, processing of proxy authorization rules is disabled. The {{EX:authz-policy}} directive must be set in the {{slapd.conf}}(5) file to enable authorization. This directive can -be set to {{EX:none}} for no rules (the default), {{EX:from}} for -source rules, {{EX:to}} for destination rules, or {{EX:both}} for +be set to {{EX:none}} for no rules (the default), {{EX:to}} for +source rules, {{EX:from}} for destination rules, or {{EX:both}} for both source and destination rules. -Destination rules are extremely powerful. If ordinary users have +Source rules are extremely powerful. If ordinary users have access to write the {{EX:authzTo}} attribute in their own entries, then they can write rules that would allow them to authorize -as anyone else. As such, when using destination rules, the +as anyone else. As such, when using source rules, the {{EX:authzTo}} attribute should be protected with an ACL that only allows privileged users to set its values.