directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Jamieson <Peter.Jamie...@convergys.com>
Subject RE: acl in apacheDS
Date Fri, 18 Mar 2016 11:39:10 GMT
> From: Emmanuel L├ęcharny [mailto:elecharny@gmail.com]
> Sent: 18 March 2016 11:17
> To: users@directory.apache.org
> Subject: Re: acl in apacheDS
>
> >> Now, it's really not convenient as you probably provision those
> >> servers with a unique DN. being able to authz based on teh IP address
> >> would definitively be a plus.
> > Ahh, it's the authz interceptor that does this ... good to know :)
> >
> > Is this correct?  The first section of the delete method of
> > DefaultAuthorizationInterceptor is: -
> >
> >         if (
> deleteContext.getSession().getDirectoryService().isAccessControlEnabled() )


> > Shouldn't that be "if ( ! ... )" or am I misunderstanding?
>
> Ouch... Seems that interecptor is largely buggy. We don't even have a check
> for teh ADD operation...
>
> Actually, we have 2 authz interceptors that are actiaved : the ACI interceptor
> and teh Default one. There is some room for improvement here...
> >

It seems I'm using the Aci one, so that's ok :)

> > So, I update the directory with ldapadd, e.g.: -
> >
> > ldapadd -h localhost -p 10389 -D "uid=admin,ou=system" -w $PASS -f
> > /opt/ivb/config/apacheds/example_user.ldif
> >
> > Is this anonymous access?
> No, you are specifying a DN with -D
>
> > If not, which is the DN?
>
> uid=admin,ou=system
>
>

OK, so the Dn is the user you are binding as rather that the client server.

Having looked at it, I will write a custom authz interceptor to look at the client address
of LdapPrincipal and reject it if it's not localhost (or a named server).

It looks easy, but there will probably be gotchas :)

Thanks for the help.

________________________________

NOTICE: The information contained in this electronic mail transmission is intended by Convergys
Corporation for the use of the named individual or entity to which it is directed and may
contain information that is privileged or otherwise confidential. If you have received this
electronic mail transmission in error, please delete it from your system without copying or
forwarding it, and notify the sender of the error by reply email or by telephone (collect),
so that the sender's address records can be corrected.
Mime
View raw message