[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: size limit by ip?

To: "Patrick Radtke" <phr2101@columbia.edu>
Subject: Re: size limit by ip?
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Fri, 7 Dec 2007 15:24:19 +0100 (CET)
Cc: openldap-software@openldap.org
Importance: Normal
In-reply-to: <47559C84.7060801@columbia.edu>
References: <47559C84.7060801@columbia.edu>
User-agent: SquirrelMail/1.4.3a-1

> Is it possible to control the size limit based on the ip address?
>
> man slapd.conf
>
>        *limits* <*who*> <*limit*> *[*<*limit*> *[...]]
>
> *The argument *who* can be any of
>
> 		     anonymous	  |   users   |   [dn[.<style>]=]<pattern>   |
> 		     group[/oc[/at]]=<pattern>
>
>
> Which doesn't look like the 'who' can be an ip address,
> but I just want to confirm that is the case (since the 'who' in
> slapd.access support peername.ip and I'm hoping that
> that the underlying code for both 'who's is the same :)

The man page is correct, it's not possible.

> Basically we have software running on a host that is
> unable to authenticate (due to 3rd party software)
> and we need to increase the size limits for queries coming from it,
> without increasing that limit for all anonymous binds.

Your problem sounds general enough to deserve an extension of the limits
"who" clause semantics (I don't see it quite high-priority, though).  In
any case, the modification should be trivial enough.  I suggest you file
an ITS for a feature request.

> Are there alternative ways of doing this?
> Possibly setting up a server with back-ldap running, only allowing
> access from the specific
> ip address and letting the back-ldap server bind to real servers as an
> authorized account?
>
> Or is there a way to map ip address to an identity that can be used in
> the limits control.

Using idassert-bind with back-ldap would allow to transform an anonymous
connection into an authorized one.  However, the request would then appear
as originating from the DSA instantiating the back-ldap, rather than from
the actual client.

> We're running 2.3.24.

You should definitely upgrade.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

References:
- size limit by ip?
  - From: Patrick Radtke <phr2101@columbia.edu>

Prev by Date: Re: Recursive access control for groups
Next by Date: Re: chain and ppolicy question
Index(es):
- Chronological
- Thread