--On Wednesday, May 30, 2007 10:11 PM -0700 Enrique Rodriguez
<[EMAIL PROTECTED]> wrote:
Actually, I very much care whether the request is internal vs.
external and much much less "who" is attempting the authentication.
The issue with what I want to do is that certain operations must NEVER
be allowed to occur from outside the server. Basing this upon the
bind principal does not help since a bind principal can be
compromised. To avoid a security problem when a principal is
compromised, I must prevent certain operations from ever occuring from
outside the server, and thus I must know whether a request is coming
from inside vs. outside the server and not who the bind principal is.
This is something that matters considerably when considering dynamic group
expansion. I haven't followed whether or not Apache DS has implemented (or
will implement) this, but that's certainly a place where I found that it is
necessary to have the concept of an internal ID acting on different
permissions from the external ID making a request.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
