[Date Prev][Date Next]
Re: peername + openldap 2.2.4
--On Wednesday, January 07, 2004 8:12 PM +0100 Pierangelo Masarati
--On Wednesday, January 07, 2004 9:06 AM +0000 Dave Lewney
Trying to restrict access to Openldap server (v2.2.4 running under
Solaris 8) to 220.127.116.11/16 with this acl ...
access to *
by peername="139.184.*.*" read
by peername="IP=127\.0\.0\.1:*" read
by users ssf=112 tls_ssf=112 read
by * none
I see the same issue. I've filed an ITS at the OpenLDAP website
Works perfectly for me (HEAD, but right now it's exactly
like 2.2.*). I note that
is an invalid regex (or, at least, results in a different
behavior from what you likely expect). Moreover, the default
for unqualified acl patterns is now EXACT rather than REGEX.
this will surprisingly match the IP you're using.
A rather better solution would be to use
Note that EXACT perrname strings make no sense since
the port in most cases would be randomly picked by the OS.
A "peername.ip" style modifier could be interesting,
but a radically better solution would be to use a more
reliable ACL policy than on ebased on the IP of the
This works perfectly in OpenLDAP 2.1. It does not work at all in OpenLDAP
And it is useful in some cases for local lookups that otherwise get denied.
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html