On 5/31/07, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
--On Wednesday, May 30, 2007 10:11 PM -0700 Enrique Rodriguez <[EMAIL PROTECTED]> wrote: > Actually, I very much care whether the request is internal vs. > external and much much less "who" is attempting the authentication. > The issue with what I want to do is that certain operations must NEVER > be allowed to occur from outside the server. Basing this upon the > bind principal does not help since a bind principal can be > compromised. To avoid a security problem when a principal is > compromised, I must prevent certain operations from ever occuring from > outside the server, and thus I must know whether a request is coming > from inside vs. outside the server and not who the bind principal is. This is something that matters considerably when considering dynamic group expansion. I haven't followed whether or not Apache DS has implemented (or will implement) this, but that's certainly a place where I found that it is necessary to have the concept of an internal ID acting on different permissions from the external ID making a request.
This is interesting can you elaborate or give an example of such a situation? Alex
