directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: [ApacheDS] Internal vs. external lookups
Date Thu, 31 May 2007 05:17:52 GMT
On 5/31/07, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
>
> --On Wednesday, May 30, 2007 10:11 PM -0700 Enrique Rodriguez
> <enriquer9@gmail.com> wrote:
>
> > Actually, I very much care whether the request is internal vs.
> > external and much much less "who" is attempting the authentication.
> > The issue with what I want to do is that certain operations must NEVER
> > be allowed to occur from outside the server.  Basing this upon the
> > bind principal does not help since a bind principal can be
> > compromised.  To avoid a security problem when a principal is
> > compromised, I must prevent certain operations from ever occuring from
> > outside the server, and thus I must know whether a request is coming
> > from inside vs. outside the server and not who the bind principal is.
>
> This is something that matters considerably when considering dynamic group
> expansion.  I haven't followed whether or not Apache DS has implemented
> (or
> will implement) this, but that's certainly a place where I found that it
> is
> necessary to have the concept of an internal ID acting on different
> permissions from the external ID making a request.


This is interesting can you elaborate or give an example of such a
situation?

Alex

Mime
View raw message