[Date Prev][Date Next] [Chronological] [Thread] [Top]

address-based ACLs [WAS: peername + openldap 2.2.4]

To: openldap-software@OpenLDAP.org
Subject: address-based ACLs [WAS: peername + openldap 2.2.4]
From: "Medievalist" <ldap@hbcs.org>
Date: Wed, 07 Jan 2004 15:48:27 -0500
Content-description: Mail message body
In-reply-to: <63465.81.72.89.40.1073502722.squirrel@webmail.sys-net.it>
References: <165518543.1073469660@cadabra.stanford.edu>

On 7 Jan 2004 at 20:12, Pierangelo Masarati wrote:
[snip]
>
> but a radically better solution would be to use a more
> reliable ACL policy than one based on the IP of the
> client.
> 
[snip]

Pierangelo, I am curious:  what would you consider "more reliable" than using 
the IP address in access controls?

I am on an IANA-legal pure-IP network with strong ingress and egress filtering 
at the edge routers.  For me, IP address is an extremely reliable method of 
determining if a connection originated "inside" my physical area of control.  
Users cannot be trusted to keep their passwords secure, and anything else might 
be spoofed by a reasonably clever person.

--Charlie

Follow-Ups:
- Re: address-based ACLs [WAS: peername + openldap 2.2.4]
  - From: "Pierangelo Masarati" <ando@sys-net.it>

References:
- Re: peername + openldap 2.2.4
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: peername + openldap 2.2.4
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: slapd not using secure port.
Next by Date: Re: YET MORE: Problem building openldap
Index(es):
- Chronological
- Thread