directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <>
Subject [ApacheDS] Internal vs. external lookups
Date Thu, 24 May 2007 22:16:10 GMT
Hi, Directory developers,

I have some use cases for Kerberos that require an interceptor to know
whether a request is coming from internal vs. external to the server.
For example, if a principal lookup is being performed by the Kerberos
protocol provider or by an LDAP search.  In other words, internal JNDI
access or LDAP-over-the-wire.  Unfortunately, I think everything looks
like it's coming from CoreContextFactory to the interceptors.

I've thought of a couple hacks, such as using a special principal for
protocol providers to use for binding with JNDI.  Today we use the
admin principal everywhere (startup config, internal JNDI).  But,
using a special principal still allows that principal to be used for
internal or external access, ie it's not very explicit.  So, the
solution I keep coming back to is to create a new Authenticator, the
InternalAuthenticator, and to use that as the authenticationLevel
"internal" (vs. "simple" or "strong").

Eventually, the solution might be both the InternalAuthenticatior in
conjuction with service principal DN's that each protocol provider
would need to use to bind internally and that we could use in ACI to
tighten security.  Today protocols bind with the admin account and
have full access to the DIT.

Is there any way to tell already if a lookup is internal vs. external?
 Is the InternalAuthenticator a viable option?  The implementation
would be trivial (I just did the StrongAuthenticator).


View raw message