Le 18/03/16 11:36, Peter Jamieson a écrit :
>> Le 18/03/16 10:41, Peter Jamieson a écrit :
>>>>> Is there a way I can prevent modifications to the directory from all
>> servers except the local one (or a named address)?
>>>> Not really. Protection are based on bound users, not on IP address or
>> server's name. Now, if you have the DN of the servers you want to forbid
>> modification from, then it's possible.
>>> I missed the last part at first, but it sounds interesting.
>>> Do I have to explicitly give a DN to a server?
>>> Turning this round the other way, I only want to allow from a single server
>> (or pre-defined group); Your response suggests this may be possible.
>>
>> The ACLs are based on the DN the client used to bind. So if a server does not
>> access your LDAP server anonymously, then you should be able to
>> authenticate it with teh DN it uses to bind.
>>
>> Now, it's really not convenient as you probably provision those servers with
>> a
>> unique DN. being able to authz based on teh IP address would definitively be
>> a plus.
> Ahh, it's the authz interceptor that does this ... good to know :)
>
> Is this correct? The first section of the delete method of
> DefaultAuthorizationInterceptor is: -
>
> if (
> deleteContext.getSession().getDirectoryService().isAccessControlEnabled() )
> {
> next( deleteContext );
> return;
> }
>
> Shouldn't that be "if ( ! ... )" or am I misunderstanding?
Ouch... Seems that interecptor is largely buggy. We don't even have a
check for teh ADD operation...
Actually, we have 2 authz interceptors that are actiaved : the ACI
interceptor and teh Default one. There is some room for improvement here...
>
> So, I update the directory with ldapadd, e.g.: -
>
> ldapadd -h localhost -p 10389 -D "uid=admin,ou=system" -w $PASS -f
> /opt/ivb/config/apacheds/example_user.ldif
>
> Is this anonymous access?
No, you are specifying a DN with -D
> If not, which is the DN?
uid=admin,ou=system
