> From: Emmanuel Lécharny [mailto:[email protected]] > Sent: 18 March 2016 11:17 > To: [email protected] > Subject: Re: acl in apacheDS > > >> Now, it's really not convenient as you probably provision those > >> servers with a unique DN. being able to authz based on teh IP address > >> would definitively be a plus. > > Ahh, it's the authz interceptor that does this ... good to know :) > > > > Is this correct? The first section of the delete method of > > DefaultAuthorizationInterceptor is: - > > > > if ( > deleteContext.getSession().getDirectoryService().isAccessControlEnabled() )
> > Shouldn't that be "if ( ! ... )" or am I misunderstanding? > > Ouch... Seems that interecptor is largely buggy. We don't even have a check > for teh ADD operation... > > Actually, we have 2 authz interceptors that are actiaved : the ACI interceptor > and teh Default one. There is some room for improvement here... > > It seems I'm using the Aci one, so that's ok :) > > So, I update the directory with ldapadd, e.g.: - > > > > ldapadd -h localhost -p 10389 -D "uid=admin,ou=system" -w $PASS -f > > /opt/ivb/config/apacheds/example_user.ldif > > > > Is this anonymous access? > No, you are specifying a DN with -D > > > If not, which is the DN? > > uid=admin,ou=system > > OK, so the Dn is the user you are binding as rather that the client server. Having looked at it, I will write a custom authz interceptor to look at the client address of LdapPrincipal and reject it if it's not localhost (or a named server). It looks easy, but there will probably be gotchas :) Thanks for the help. ________________________________ NOTICE: The information contained in this electronic mail transmission is intended by Convergys Corporation for the use of the named individual or entity to which it is directed and may contain information that is privileged or otherwise confidential. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by telephone (collect), so that the sender's address records can be corrected.
