[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question: a group of peernames ?

On Mon, 3 Dec 2001, Markus Benning wrote:

> Hi everyone,
> I'm searching for a way to Limit Access to a list of Hosts.
> Is it possible to have a group of hostnames and/or ips in
> the LDAP Tree and limit Access to hosts in that group ?
> An other way will to generate iptables rules out of
> the LDAP Directory with a little script.
> But this is not the perfect way.

That seems like a pretty good way:

1) The access control is done in the kernel, so slapd isn't
	bothered by attacks;

2) Your script can be server-independent (e.g. could work with
	some other LDAP server implementation);

3) Your script can run in the firewall,	rather than on your LDAP
	server host;

4) Your access control can be more dynamic, responding to changes
	in your LDAP directory content -- AFAIK ACLs can't be
	changed at runtime.

Bob G