Michal,
Tried your suggestion, ldapsearch still fails. Here is the log:
Jul 5 11:09:31 ias2 slapd[11565]: entry_decode:
"SFTid=0002-00000000,ou=servers,o=sft"
Jul 5 11:09:31 ias2 slapd[11565]: <=
entry_decode(SFTid=0002-00000000,ou=servers,o=sft)
Jul 5 11:09:31 ias2 slapd[11565]: =>
bdb_dn2id("SFTid=0002-00000000,ou=servers,o=sft")
Jul 5 11:09:31 ias2 slapd[11565]: <= bdb_dn2id: got id=0x00000030
Jul 5 11:09:31 ias2 slapd[11565]: => test_filter
Jul 5 11:09:31 ias2 slapd[11565]: EQUALITY
Jul 5 11:09:31 ias2 slapd[11565]: => access_allowed: search access to
"SFTid=0002-00000000,ou=servers,o=sft" "SFTid" requested
Jul 5 11:09:31 ias2 slapd[11565]: => acl_get: [1] attr SFTid
Jul 5 11:09:31 ias2 slapd[11565]: => acl_mask: access to entry
"SFTid=0002-00000000,ou=servers,o=sft", attr "SFTid" requested
Jul 5 11:09:31 ias2 slapd[11565]: => acl_mask: to value by "", (=0)
Jul 5 11:09:31 ias2 slapd[11565]: <= check a_dn_pat: self
Jul 5 11:09:31 ias2 slapd[11565]: <= check a_peername_path: 10.16.13.84
Jul 5 11:09:31 ias2 slapd[11565]: <= check a_peername_path:
IP=10.16.13.8[1-6]*
Jul 5 11:09:31 ias2 slapd[11565]: => acl_string_expand: pattern:
IP=10.16.13.8[1-6]*
Jul 5 11:09:31 ias2 slapd[11565]: => acl_string_expand: expanded:
IP=10.16.13.8[1-6]*
Jul 5 11:09:31 ias2 slapd[11565]: => regex_matches: string:^I
IP=127.0.0.1:46749
Jul 5 11:09:31 ias2 slapd[11565]: => regex_matches: rc: 1 no matches
Jul 5 11:09:31 ias2 slapd[11565]: <= acl_mask: no more <who> clauses,
returning =0 (stop)
Jul 5 11:09:31 ias2 slapd[11565]: => access_allowed: search access
denied by =0
Jul 5 11:09:31 ias2 slapd[11565]: <= test_filter 50
Jul 5 11:09:31 ias2 slapd[11565]: bdb_search: 48 does not match filter
-----Original Message-----
From: Michal Dobroczynski [mailto:michal.dobroczynski@gmail.com]
Sent: Thursday, July 05, 2007 11:01 AM
To: Brian Gaber
Cc: openldap-software@openldap.org
Subject: Re: Challenge With Access Control
As far as I understand the log - you need to include the port. This
should help then:
by peername.regex="IP=10\.16\.13\.8[1-6]:[0-9]*" read
Regards,
Michal
On 05/07/07, Brian Gaber <Brian.Gaber@pwgsc.gc.ca> wrote:
> Tried your suggestion and still have a problem.
>
> Here is the new slapd.conf:
>
> access to *
> by self write
> by peername.ip=10.16.13.84 write
> by peername.regex="IP=10\.16\.13\.8[1-6]" read
>
> Here is the log:
>
> entry_decode: "SFTid=0001-00000000,ou=servers,o=sft"
> Jul 5 10:46:35 ias2 slapd[11401]: <=
> entry_decode(SFTid=0001-00000000,ou=servers,o=sft)
> Jul 5 10:46:35 ias2 slapd[11401]: =>
> bdb_dn2id("SFTid=0001-00000000,ou=servers,o=sft")
> Jul 5 10:46:35 ias2 slapd[11401]: <= bdb_dn2id: got id=0x0000002f Jul
> 5 10:46:35 ias2 slapd[11401]: => test_filter
> Jul 5 10:46:35 ias2 slapd[11401]: EQUALITY
> Jul 5 10:46:35 ias2 slapd[11401]: => access_allowed: search access to
> "SFTid=0001-00000000,ou=servers,o=sft" "SFTid" requested Jul 5
> 10:46:35 ias2 slapd[11401]: => acl_get: [1] attr SFTid Jul 5 10:46:35
> ias2 slapd[11401]: => acl_mask: access to entry
> "SFTid=0001-00000000,ou=servers,o=sft", attr "SFTid" requested Jul 5
> 10:46:35 ias2 slapd[11401]: => acl_mask: to value by "", (=0) Jul 5
> 10:46:35 ias2 slapd[11401]: <= check a_dn_pat: self Jul 5 10:46:35
> ias2 slapd[11401]: <= check a_peername_path: 10.16.13.84 Jul 5
> 10:46:35 ias2 slapd[11401]: <= check a_peername_path:
> IP=10.16.13.8[1-6]
> Jul 5 10:46:35 ias2 slapd[11401]: => acl_string_expand: pattern:
> IP=10.16.13.8[1-6]
> Jul 5 10:46:35 ias2 slapd[11401]: => acl_string_expand: expanded:
> IP=10.16.13.8[1-6]
> Jul 5 10:46:35 ias2 slapd[11401]: => regex_matches: string:^I
> IP=127.0.0.1:46504
> Jul 5 10:46:35 ias2 slapd[11401]: => regex_matches: rc: 1 no matches
> Jul 5 10:46:35 ias2 slapd[11401]: <= acl_mask: no more <who> clauses,
> returning =0 (stop) Jul 5 10:46:35 ias2 slapd[11401]: =>
> access_allowed: search access denied by =0 Jul 5 10:46:35 ias2
> slapd[11401]: <= test_filter 50
>
> -----Original Message-----
> From: Michal Dobroczynski [mailto:michal.dobroczynski@gmail.com]
> Sent: Thursday, July 05, 2007 10:36 AM
> To: Brian Gaber
> Cc: openldap-software@openldap.org
> Subject: Re: Challenge With Access Control
>
> On 05/07/07, Brian Gaber <Brian.Gaber@pwgsc.gc.ca> wrote:
> >
> >
> >
> > Hope someone can explain this to me. I am sure it is very trivial.
> > I
>
> > have a primary LDAP server (10.16.13.84), a replica LDAP server
> > (10.16.13.85) and a few clients all with a 10.16.13.x address.
> >
> > Here is the access control I thought would work:
> >
> > access to *
> > by self write
> > by peername=10.16.13.84 write
> > by peername=10.16.13.81 read
> > by peername=10.16.13.82 read
> > by peername=10.16.13.83 read
> > by peername=10.16.13.85 read
> > by peername=10.16.13.86 read
> >
> > Here is what does work:
> >
> > access to *
> > by self write
> > by peername.ip=10.16.13.84 write
> > by * read
> >
> > By work I mean that when I am on the replica (10.16.13.85)
> > and
>
> > issue an ldapsearch to itself I get a 32 no such object with the top
> > access, but I get the expected result with the bottom access.
>
> I am not 100% sure, but maybe this will help you (I am using similar
> ACL). AFAIR in the peername you need to add the "IP=" - but I don't
> really remember, please correct me. The regex matching directive that
> works for me looks like this:
>
> by peername.regex="IP=10\.10\.120\..+" read
>
> Then you could try:
>
> by peername.regex="IP=10\.16\.13\.8[1-6]" read
>
> And please double check if you need to supply the "IP=10.10.10.10" for
> the "by peername" without regex.
> The regex solution will not conflict with the first entry as write
> permission includes reading (and ACL parsing stops on the first
> matched rule).
>
> Hope this helps.
>
> Regards,
> Michal
>
> >
> > Brian Gaber
>