Re: Challenge With Access Control

["Michal Dobroczynski" <michal.dobroczynski@gmail.com>]

On 05/07/07, Brian Gaber <Brian.Gaber@pwgsc.gc.ca> wrote:
> Hope someone can explain this to me.  I am sure it is very trivial.  I have
> a primary LDAP server (10.16.13.84), a replica LDAP server (10.16.13.85) and
> a few clients all with a 10.16.13.x address.
>
> Here is the access control I thought would work:
>
> access  to *
>   by self write
>   by peername=10.16.13.84 write
>   by peername=10.16.13.81 read
>   by peername=10.16.13.82 read
>   by peername=10.16.13.83 read
>   by peername=10.16.13.85 read
>   by peername=10.16.13.86 read
>
> Here is what does work:
>
> access to *
>   by self write
>   by peername.ip=10.16.13.84 write
>   by * read
>
>         By work I mean that when I am on the replica (10.16.13.85) and issue
> an ldapsearch to itself I get a 32 no such object with the top access, but I
> get the expected result with the bottom access.

I am not 100% sure, but maybe this will help you (I am using similar
ACL). AFAIR in the peername you need to add the "IP=" - but I don't
really remember, please correct me. The regex matching directive that
works for me looks like this:

by peername.regex="IP=10\.10\.120\..+" read

Then you could try:

by peername.regex="IP=10\.16\.13\.8[1-6]" read

And please double check if you need to supply the "IP=10.10.10.10" for
the "by peername" without regex.
The regex solution will not conflict with the first entry as write
permission includes reading (and ACL parsing stops on the first
matched rule).

Hope this helps.

Regards,
Michal

> Brian Gaber