[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question: a group of peernames ?

To: Markus Benning <benning@erlm.siemens.de>
Subject: Re: ACL Question: a group of peernames ?
From: Robert J Gautier <rjg@ateb.co.uk>
Date: Mon, 3 Dec 2001 10:07:10 +0000 (GMT)
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <20011203105400.A5148@erls02.siemens.de>

On Mon, 3 Dec 2001, Markus Benning wrote:

> Hi everyone,
>
> I'm searching for a way to Limit Access to a list of Hosts.
>
> Is it possible to have a group of hostnames and/or ips in
> the LDAP Tree and limit Access to hosts in that group ?
>
> An other way will to generate iptables rules out of
> the LDAP Directory with a little script.
> But this is not the perfect way.

That seems like a pretty good way:

1) The access control is done in the kernel, so slapd isn't
	bothered by attacks;

2) Your script can be server-independent (e.g. could work with
	some other LDAP server implementation);

3) Your script can run in the firewall,	rather than on your LDAP
	server host;

4) Your access control can be more dynamic, responding to changes
	in your LDAP directory content -- AFAIK ACLs can't be
	changed at runtime.

Bob G

Follow-Ups:
- Re: ACL Question: a group of peernames ?
  - From: Markus Benning <benning@erlm.siemens.de>

References:
- ACL Question: a group of peernames ?
  - From: Markus Benning <benning@erlm.siemens.de>

Prev by Date: Openldap with MySQL-Backend
Next by Date: SASL Authentication & OpenLDAP 2.0.18
Index(es):
- Chronological
- Thread