directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <>
Subject Re: [ApacheDS] Internal vs. external lookups
Date Thu, 31 May 2007 05:16:37 GMT
On 5/31/07, Enrique Rodriguez <> wrote:
> On 5/30/07, Alex Karasulu <> wrote:
> > Enrique, I'm guessing you use "internal" for the value of the
> > Context.SECURITY_AUTHENTICATION [0] JNDI parameter.  Is
> > this a correct presumption?
> Yes.
> > This parameter is hence used to set the authentication level right?  I
> guess
> > this is attractive to do since it marks the Context for the life of the
> > Context
> > and you can differentiate it from LDAP sessions which authenticate on
> > InitialContexts using the other authentication levels.  In this case
> your
> > tactic would work but it could be implemented a little better.  There is
> no
> > reason why we should have to do this with the authentication level which
> > is really orthogonal to your aim of identifying "who" is attempting the
> > authentication.
> Actually, I very much care whether the request is internal vs.
> external and much much less "who" is attempting the authentication.
> The issue with what I want to do is that certain operations must NEVER
> be allowed to occur from outside the server.  Basing this upon the
> bind principal does not help since a bind principal can be
> compromised.  To avoid a security problem when a principal is
> compromised, I must prevent certain operations from ever occuring from
> outside the server, and thus I must know whether a request is coming
> from inside vs. outside the server and not who the bind principal is.

OK I see.  How about preventing external binds from these special service
in the LDAP provider?  We can create a special blocked list or use a special
that prevents LDAP binds this way?  So for example you can flag an account
internal and the LDAP server will not allow the bind through LDAP.


View raw message