Le 18/03/16 10:41, Peter Jamieson a écrit : >>> Is there a way I can prevent modifications to the directory from all >>> servers except the local one (or a named address)? >> Not really. Protection are based on bound users, not on IP address or >> server's name. Now, if you have the DN of the servers you want to forbid >> modification from, then it's possible. > I missed the last part at first, but it sounds interesting. > Do I have to explicitly give a DN to a server? > Turning this round the other way, I only want to allow from a single server > (or pre-defined group); Your response suggests this may be possible.
The ACLs are based on the DN the client used to bind. So if a server does not access your LDAP server anonymously, then you should be able to authenticate it with teh DN it uses to bind. Now, it's really not convenient as you probably provision those servers with a unique DN. being able to authz based on teh IP address would definitively be a plus.
