> Le 18/03/16 10:41, Peter Jamieson a écrit :
> >>> Is there a way I can prevent modifications to the directory from all
> servers except the local one (or a named address)?
> >> Not really. Protection are based on bound users, not on IP address or
> server's name. Now, if you have the DN of the servers you want to forbid
> modification from, then it's possible.
> > I missed the last part at first, but it sounds interesting.
> > Do I have to explicitly give a DN to a server?
> > Turning this round the other way, I only want to allow from a single server
> (or pre-defined group); Your response suggests this may be possible.
>
> The ACLs are based on the DN the client used to bind. So if a server does not
> access your LDAP server anonymously, then you should be able to
> authenticate it with teh DN it uses to bind.
>
> Now, it's really not convenient as you probably provision those servers with a
> unique DN. being able to authz based on teh IP address would definitively be
> a plus.
Ahh, it's the authz interceptor that does this ... good to know :)
Is this correct? The first section of the delete method of
DefaultAuthorizationInterceptor is: -
if (
deleteContext.getSession().getDirectoryService().isAccessControlEnabled() )
{
next( deleteContext );
return;
}
Shouldn't that be "if ( ! ... )" or am I misunderstanding?
So, I update the directory with ldapadd, e.g.: -
ldapadd -h localhost -p 10389 -D "uid=admin,ou=system" -w $PASS -f
/opt/ivb/config/apacheds/example_user.ldif
Is this anonymous access? If not, which is the DN?
________________________________
NOTICE: The information contained in this electronic mail transmission is
intended by Convergys Corporation for the use of the named individual or entity
to which it is directed and may contain information that is privileged or
otherwise confidential. If you have received this electronic mail transmission
in error, please delete it from your system without copying or forwarding it,
and notify the sender of the error by reply email or by telephone (collect), so
that the sender's address records can be corrected.
