directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Quanah Gibson-Mount <>
Subject Re: [ApacheDS] Internal vs. external lookups
Date Thu, 31 May 2007 05:15:26 GMT
--On Wednesday, May 30, 2007 10:11 PM -0700 Enrique Rodriguez 
<> wrote:

> Actually, I very much care whether the request is internal vs.
> external and much much less "who" is attempting the authentication.
> The issue with what I want to do is that certain operations must NEVER
> be allowed to occur from outside the server.  Basing this upon the
> bind principal does not help since a bind principal can be
> compromised.  To avoid a security problem when a principal is
> compromised, I must prevent certain operations from ever occuring from
> outside the server, and thus I must know whether a request is coming
> from inside vs. outside the server and not who the bind principal is.

This is something that matters considerably when considering dynamic group 
expansion.  I haven't followed whether or not Apache DS has implemented (or 
will implement) this, but that's certainly a place where I found that it is 
necessary to have the concept of an internal ID acting on different 
permissions from the external ID making a request.


Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration

View raw message