[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: IP based ACL

To: Craig Squires <csquires@math.mun.ca>
Subject: Re: IP based ACL
From: Pierangelo Masarati <ando@sys-net.it>
Date: Mon, 08 Mar 2004 18:05:53 +0100
Cc: Frank Swasey <Frank.Swasey@uvm.edu>, openldap-software@OpenLDAP.org
Organization: SysNet
References: <Pine.LNX.4.44.0403081212300.29306-100000@telos.math.mun.ca>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Craig Squires wrote:

Just another datapoint on this issue:

I've found using peername.regex was the only way I could get this to
work. None of the "exact" samples I could find anywhere would match.
We're using 2.2.4 here.

Q: is there a performance hit for using .regex rather than an exact
match?


yes: regex always works, exact doesn't in most cases.

Q2: does anyone know what the exact match should be?


in most cases, unpredictable: you need to match the port
the OS automatically assigns to your connection.

See http://www.openldap.org/lists/openldap-software/200401/msg00174.html
and related postings; see also
https://www.openldap.org/its/index.cgi/Development?id=2907
whioch has not been merged to HEAD yet, but it could, since
it's basically frozen right now.  If you think this is what
you need, holler, and you'll be the beta tester :)

p.

--
Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- Re: IP based ACL
  - From: Craig Squires <csquires@math.mun.ca>

Prev by Date: problem with access control
Next by Date: Re: Testing the speed of OpenLDAP..
Index(es):
- Chronological
- Thread