Re: ACL by IP

[Kervin Pierre <kpierre@fit.edu>]

Howard Chu wrote:
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Pierangelo
> > Masarati
>
>
> > Subnet mask might be an interesting evolution; note that all of this,
> > at least in my opinion and from my personal experience, should not be
> > used instead of appropriate authentication.
>
>
> Indeed. I really cannot see a valid use for fine-grained access control
> based on an IP subnet. That is such a huge range of accessors; for such
> coarse control you should just use TCP_WRAPPER to permit/deny connectivity
> to the server.

Varible length subnet mask are often much for useful.  Administrator 
with an internal network can specify 172.168.0.0/16 , instead of listing 
the IPs and modifying openldap ACLs whenever he/she uses a new IP for a 
new computer.

The implementation shouldn't be anymore resource intensive than regular 
IP matches.  The IP in question is bitwise AND'ed with the subnet mask 
then compared with the subnet.

I don't understand how this functionality could be reproduced with tcp 
wrappers.

>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support



--
http://linuxquestions.org/ - Ask linux questions, give linux help.
http://splint.org/ - Write safe C code. splint source-code analyzer.