It looks like we currently parse this control, but only to allow logging its contents, and nothing more. Seems like it would be useful to carry the parsed info along with the o_authz struct, and make it usable in the ACL engine. This would allow setting ACLs that can distinguish between different applications acting on behalf of a given user (or service).
Any security downside to this? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
