directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: acl in apacheDS
Date Fri, 18 Mar 2016 10:08:37 GMT
Le 18/03/16 10:41, Peter Jamieson a écrit :
>>> Is there a way I can prevent modifications to the directory from all servers
except the local one (or a named address)?
>> Not really. Protection are based on bound users, not on IP address or server's name.
Now, if you have the DN of the servers you want to forbid modification from, then it's possible.
> I missed the last part at first, but it sounds interesting.
> Do I have to explicitly give a DN to a server?
> Turning this round the other way, I only want to allow from a single server (or pre-defined
group);  Your response suggests this may be possible.

The ACLs are based on the DN the client used to bind. So if a server
does not access your LDAP server anonymously, then you should be able to
authenticate it with teh DN it uses to bind.

Now, it's really not convenient as you probably provision those servers
with a unique DN. being able to authz based on teh IP address would
definitively be a plus.

View raw message