[Twisted-Python] ldaptor and bind
tv at eagain.net
Mon Jan 7 18:54:48 EST 2008
On Tue, Jan 08, 2008 at 12:34:29AM +0100, Ottavio Campana wrote:
>> Umm, if you didn't even realize you need to protect against
>> modification, do you really think you can manage to implement
>> it securely?
> well, considering that data provided through ldap is for readonly use, that
> ldap exports information saved in a database which is protected, that
> clients access the ldap server only read only and the network is not
> hostile, I think it could be acceptable.
Yes but unless you do something to prevent writes anonymous can
overwrite anyones password. That sort of makes any read restrictions
pointless, doesn't it?
> PS: going on with my idea, I could overwrite handle_LDAPModifyDNRequest by
> always rising ldaperrors.LDAPUnwillingToPerform. The same for all other
> add/delete/modify request...
Ah, good. You realize they are there ;) That was my point, earlier you
spoke only of filtering search requests. To implement ACLs, you need
way more than that.
More information about the Twisted-Python