[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL by IP



Howard Chu wrote:
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Pierangelo
Masarati


Subnet mask might be an interesting evolution; note that all of this,
at least in my opinion and from my personal experience, should not be
used instead of appropriate authentication.


Indeed. I really cannot see a valid use for fine-grained access control
based on an IP subnet. That is such a huge range of accessors; for such
coarse control you should just use TCP_WRAPPER to permit/deny connectivity
to the server.


Varible length subnet mask are often much for useful. Administrator with an internal network can specify 172.168.0.0/16 , instead of listing the IPs and modifying openldap ACLs whenever he/she uses a new IP for a new computer.


The implementation shouldn't be anymore resource intensive than regular IP matches. The IP in question is bitwise AND'ed with the subnet mask then compared with the subnet.

I don't understand how this functionality could be reproduced with tcp wrappers.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support





-- http://linuxquestions.org/ - Ask linux questions, give linux help. http://splint.org/ - Write safe C code. splint source-code analyzer.