[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: address-based ACLs [WAS: peername + openldap 2.2.4]

To: <ldap@hbcs.org>
Subject: Re: address-based ACLs [WAS: peername + openldap 2.2.4]
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 7 Jan 2004 23:02:50 +0100 (CET)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <3FFC2A4B.21226.1750854@localhost>
References: <165518543.1073469660@cadabra.stanford.edu> <3FFC2A4B.21226.1750854@localhost>

> On 7 Jan 2004 at 20:12, Pierangelo Masarati wrote:
> [snip]
>>
>> but a radically better solution would be to use a more
>> reliable ACL policy than one based on the IP of the
>> client.
>>
> [snip]
>
> Pierangelo, I am curious:  what would you consider "more reliable" than
> using  the IP address in access controls?

strong auth, where strong depends on your taste.

>
> I am on an IANA-legal pure-IP network with strong ingress and egress
> filtering  at the edge routers.  For me, IP address is an extremely
> reliable method of  determining if a connection originated "inside" my
> physical area of control.   Users cannot be trusted to keep their
> passwords secure, and anything else might  be spoofed by a reasonably
> clever person.

Including IPs :)

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- Re: peername + openldap 2.2.4
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- address-based ACLs [WAS: peername + openldap 2.2.4]
  - From: "Medievalist" <ldap@hbcs.org>

Prev by Date: Re: back-sql
Next by Date: Replication problem
Index(es):
- Chronological
- Thread