directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: [ApacheDS] Internal vs. external lookups
Date Thu, 31 May 2007 05:16:37 GMT
On 5/31/07, Enrique Rodriguez <enriquer9@gmail.com> wrote:
>
> On 5/30/07, Alex Karasulu <akarasulu@apache.org> wrote:
> > Enrique, I'm guessing you use "internal" for the value of the
> > Context.SECURITY_AUTHENTICATION [0] JNDI parameter.  Is
> > this a correct presumption?
>
> Yes.
>
> > This parameter is hence used to set the authentication level right?  I
> guess
> > this is attractive to do since it marks the Context for the life of the
> > Context
> > and you can differentiate it from LDAP sessions which authenticate on
> > InitialContexts using the other authentication levels.  In this case
> your
> > tactic would work but it could be implemented a little better.  There is
> no
> > reason why we should have to do this with the authentication level which
> > is really orthogonal to your aim of identifying "who" is attempting the
> > authentication.
>
> Actually, I very much care whether the request is internal vs.
> external and much much less "who" is attempting the authentication.
> The issue with what I want to do is that certain operations must NEVER
> be allowed to occur from outside the server.  Basing this upon the
> bind principal does not help since a bind principal can be
> compromised.  To avoid a security problem when a principal is
> compromised, I must prevent certain operations from ever occuring from
> outside the server, and thus I must know whether a request is coming
> from inside vs. outside the server and not who the bind principal is.


OK I see.  How about preventing external binds from these special service
principals
in the LDAP provider?  We can create a special blocked list or use a special
attribute
that prevents LDAP binds this way?  So for example you can flag an account
as
internal and the LDAP server will not allow the bind through LDAP.

Alex

Mime
View raw message