[Date Prev][Date Next] [Chronological] [Thread] [Top]

peername + openldap 2.2.4

To: openldap-software@OpenLDAP.org
Subject: peername + openldap 2.2.4
From: D.M.Lewney@sussex.ac.uk (Dave Lewney)
Date: Wed, 07 Jan 2004 09:06:39 +0000
References: <1073445880.27620.43.camel@lin-workstation.azapple.com>
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.1) Gecko/20020827

Trying to restrict access to Openldap server (v2.2.4 running under Solaris 8) to 139.184.0.0/16 with this acl ...

access to *
        by peername="139.184.*.*"               read
        by peername="IP=127\.0\.0\.1:*"         read
        by users  ssf=112       tls_ssf=112             read
        by *                            none

... but this appears to be denying access to any client - log follows.

Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=dml,ou=Mail,o=University of Sussex", attr "uid" requested Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 488679 local4.debug] => acl_mask: to value by "", (=n) Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 919802 local4.debug] <= check a_peername_path: 139.184.*.* Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 919802 local4.debug] <= check a_peername_path: IP=127.0.0.1:* Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 704950 local4.debug] <= check a_dn_pat: users Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 704950 local4.debug] <= check a_dn_pat: * Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 279303 local4.debug] <= acl_mask: [4] applying none(=n) (stop) Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 804284 local4.debug] <= acl_mask: [4] mask: none(=n) Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 384072 local4.debug] => access_allowed: search access denied by none(=n)

The same peername line works on a v2.1.22 server, as does reverse lookup/domain matching (also failing under 2.2.4). All of this makes me think that I've missed something in the configuration/compile maybe. Config options were ...

./configure \
    --prefix=/local/openldap-2.2.4 \
    --with-tls=openssl \
    --with-openssl \
    --enable-rlookups \
    --enable-ldbm \
    --enable-crypt \
    --enable-monitor \
    --disable-bdb \
    --sysconfdir=/etc \
    --localstatedir=/var


Dave
--
Dave Lewney
Principal Systems Programmer, IT Services
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956

Follow-Ups:
- Re: peername + openldap 2.2.4
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- acl fun
  - From: Craig White <craigwhite@azapple.com>

Prev by Date: Re: acl fun
Next by Date: Re: SSH and LDAP problem
Index(es):
- Chronological
- Thread