Hi, Directory developers, I have some use cases for Kerberos that require an interceptor to know whether a request is coming from internal vs. external to the server. For example, if a principal lookup is being performed by the Kerberos protocol provider or by an LDAP search. In other words, internal JNDI access or LDAP-over-the-wire. Unfortunately, I think everything looks like it's coming from CoreContextFactory to the interceptors.
I've thought of a couple hacks, such as using a special principal for protocol providers to use for binding with JNDI. Today we use the admin principal everywhere (startup config, internal JNDI). But, using a special principal still allows that principal to be used for internal or external access, ie it's not very explicit. So, the solution I keep coming back to is to create a new Authenticator, the InternalAuthenticator, and to use that as the authenticationLevel "internal" (vs. "simple" or "strong"). Eventually, the solution might be both the InternalAuthenticatior in conjuction with service principal DN's that each protocol provider would need to use to bind internally and that we could use in ACI to tighten security. Today protocols bind with the admin account and have full access to the DIT. Is there any way to tell already if a lookup is internal vs. external? Is the InternalAuthenticator a viable option? The implementation would be trivial (I just did the StrongAuthenticator). Enrique
