Issue 9512 - Add ability to restrict by server ip address in ACLs
Summary: Add ability to restrict by server ip address in ACLs
Status: UNCONFIRMED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.5.4
Hardware: All All
: --- enhancement
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-30 16:37 UTC by Quanah Gibson-Mount
Modified: 2021-06-14 16:43 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Quanah Gibson-Mount 2021-03-30 16:37:58 UTC 
Currently it is possible via ACLs to enforce restrictions based on which slapd host interface is connected to via the peername parameter.  However, it's not possible to enforce ACL restrictions based on the IP address used by the client.  This would be a useful feature when wanting to restrict certain DNs to only being able to have access if they connect from a certain IP or IP range.
Comment 1 Howard Chu 2021-03-30 17:12:40 UTC 
(In reply to Quanah Gibson-Mount from comment #0)
> Currently it is possible via ACLs to enforce restrictions based on which
> slapd host interface is connected to via the peername parameter.  However,
> it's not possible to enforce ACL restrictions based on the IP address used
> by the client.

Wrong. The peername parameter is the client's IP address. The sockname parameter is for the slapd address.

>  This would be a useful feature when wanting to restrict
> certain DNs to only being able to have access if they connect from a certain
> IP or IP range.

Already works as designed.
Comment 2 Quanah Gibson-Mount 2021-03-30 17:37:44 UTC 
sockname does not allow ip addresses, so you can't restrict by server interface.