[Date Prev][Date Next]
Re: ACL by IP
Howard Chu wrote:
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Pierangelo
Subnet mask might be an interesting evolution; note that all of this,
at least in my opinion and from my personal experience, should not be
used instead of appropriate authentication.
Indeed. I really cannot see a valid use for fine-grained access control
based on an IP subnet. That is such a huge range of accessors; for such
coarse control you should just use TCP_WRAPPER to permit/deny connectivity
to the server.
Varible length subnet mask are often much for useful. Administrator
with an internal network can specify 188.8.131.52/16 , instead of listing
the IPs and modifying openldap ACLs whenever he/she uses a new IP for a
The implementation shouldn't be anymore resource intensive than regular
IP matches. The IP in question is bitwise AND'ed with the subnet mask
then compared with the subnet.
I don't understand how this functionality could be reproduced with tcp
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support
http://linuxquestions.org/ - Ask linux questions, give linux help.
http://splint.org/ - Write safe C code. splint source-code analyzer.