directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: acl in apacheDS
Date Fri, 18 Mar 2016 11:16:57 GMT
Le 18/03/16 11:36, Peter Jamieson a écrit :
>> Le 18/03/16 10:41, Peter Jamieson a écrit :
>>>>> Is there a way I can prevent modifications to the directory from all
>> servers except the local one (or a named address)?
>>>> Not really. Protection are based on bound users, not on IP address or
>> server's name. Now, if you have the DN of the servers you want to forbid
>> modification from, then it's possible.
>>> I missed the last part at first, but it sounds interesting.
>>> Do I have to explicitly give a DN to a server?
>>> Turning this round the other way, I only want to allow from a single server
>> (or pre-defined group);  Your response suggests this may be possible.
>>
>> The ACLs are based on the DN the client used to bind. So if a server does not
>> access your LDAP server anonymously, then you should be able to
>> authenticate it with teh DN it uses to bind.
>>
>> Now, it's really not convenient as you probably provision those servers with a
>> unique DN. being able to authz based on teh IP address would definitively be
>> a plus.
> Ahh, it's the authz interceptor that does this ... good to know :)
>
> Is this correct?  The first section of the delete method of DefaultAuthorizationInterceptor
is: -
>
>         if ( deleteContext.getSession().getDirectoryService().isAccessControlEnabled()
)
>         {
>             next( deleteContext );
>             return;
>         }
>
> Shouldn't that be "if ( ! ... )" or am I misunderstanding?

Ouch... Seems that interecptor is largely buggy. We don't even have a
check for teh ADD operation...

Actually, we have 2 authz interceptors that are actiaved : the ACI
interceptor and teh Default one. There is some room for improvement here...
>
> So, I update the directory with ldapadd, e.g.: -
>
> ldapadd -h localhost -p 10389 -D "uid=admin,ou=system" -w $PASS -f /opt/ivb/config/apacheds/example_user.ldif
>
> Is this anonymous access?  
No, you are specifying a DN with -D

> If not, which is the DN?

uid=admin,ou=system




Mime
View raw message