[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: allowing anonymous binds from a specific machine

I've done the following before and that worked for me

access to *
  by peername="ip:xxx\.yyy\.zzz\.zz[123]:*" read

try that and see if it works. The format for most binds are (at least from what I can see in the logs are):

Dec 19 02:10:42 myserver slapd[23087]: daemon: conn=0 fd=10 connection from IP= (IP= accepted.

notice the socket number? so I think that should work

good luck


At 03:41 PM 12/19/2001 -0500, you wrote:
OK, I thought I was having success but then (at least on the LDAP server) things
started to break and I had to revert to universal read access. I'm running
nss_ldap and nscd. I wonder whether they might communicate over UNIX sockets.
Is there a peername setting for UNIX sockets?
John Dalbec

John Dalbec wrote:
> I have a group of 3 machines with a single LDAP server. I needed to restrict
> access from outside but allow anonymous binds from within the group. I had
> success with
> access to *
> ...
> by * peername = "IP:127\.0\.0\.1" read
> by * peername = "IP:xxx\.yyy\.zzz\.aa[123]" read
> ...
> The "*" before peername is required!