[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Filter a ldap connection for a user comming from an IP source

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Filter a ldap connection for a user comming from an IP source
From: Mik J <mikydevel@yahoo.fr>
Date: Fri, 5 Oct 2012 09:43:00 +0100 (BST)
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.fr; s=s1024; t=1349426580; bh=/O6V7wrltK2Odx/tG4JOBcz1mPjO+VEz4ZU2kMzdH4c=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=HTgh5VaQIdKyzAzvzUAGxX6Nn6EnMk50RfCAHAp4wA4rmX/FTdxxwop+cAeqlTwQDYfYFEewcfZLQT03+JFDi0+xc+RTVxMP+kDEVLztP7+Yn9cgQWWvZtD2u09fR9cbi/O1LjkQd49hiQx9zqkGmRGtm43ZtCEdHxR5hjzeCwA=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.fr; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=X2UBNgFK61k0QHXpzAl/dj7KRrVOi4JlKFFgGwLNo5HhGtjGXYWPxQWkipN17lqJR4XohjWa3AJstc7/XRxlaS+BI5crDjQcPpLaOKG9GC3zFvbt7sT88t5n2I1I7ZmQkKqF6NomHdwiEFl2ELzIMKhwGHGFndfdI4rapsAZMHQ=;
In-reply-to: <CAA+mWJw6FERJPDGXksyiE=AtapH88hXLNb9_50_1EkG7P8pozw@mail.gmail.com>
References: <1349364787.51442.YahooMailNeo@web28801.mail.ir2.yahoo.com> <CAA+mWJw6FERJPDGXksyiE=AtapH88hXLNb9_50_1EkG7P8pozw@mail.gmail.com>

Hello Kyle,

Thank you for your answer. I've implemented this solution and started slapd with -d 256 to make sure of the incoming IP address.Unfortunately this solution doesn't work.
Regards

> De : Kyle Smith <alacer.cogitatus@gmail.com>
>À : Mik J <mikydevel@yahoo.fr> 
>
>I can't find specifics on how it works, but the acls contain a "set" command so something like:
>
>access to <what>
>     by set="dn=[uid=myadmin,ou=people,dc=mydomain,dc=org] & peername.ip=1.1.1.1" read
>
>might work for you, although I don't know the actual syntax or if this is how it was meant to be used.
>
>The ACL reference is here: http://www.openldap.org/doc/admin24/access-control.html
>
>Kyle
>
>
>2012/10/4 Mik J <mikydevel@yahoo.fr>
>
>Hello,
>>
>>I have this ACL that allows the users myadmin to list encrypted passwords
>>
>>access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet
>>        by dn="uid=myadmin,ou=people,dc=mydomain,dc=org" read
>>
>>However this user my admin is supposed to come from one IP 1.1.1.1 only.
>>I think that the peername directive might help to achive this task but I don't know how to associate it with the user myadmin.
>>In conclusion I would like that the user myadmin coming from IP 1.1.1.1 be able to see the encrypted passwords.
>>If the user myadmin comes from another IP like 2.2.2.2 he would not match the ACL and therefore not be able to see encrypted passwords.
>>
>>Does anyone know what is the syntax ?

References:
- Filter a ldap connection for a user comming from an IP source
  - From: Mik J <mikydevel@yahoo.fr>
- Re: Filter a ldap connection for a user comming from an IP source
  - From: Kyle Smith <alacer.cogitatus@gmail.com>

Prev by Date: LDAP Stopped Authenticating Samba Shares
Next by Date: What does acl-bind exactly
Index(es):
- Chronological
- Thread