[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs with ip control



Quoting "Terry L. Inzauro" <tinzauro@ha-solutions.net>:

aubert@iut-bm.univ-fcomte.fr wrote:
I omitted a detail : it works fine if the command is used with an
authenticated user.
--
Emmanuel Aubert

Quoting Aaron Richton <richton@nbcs.rutgers.edu>:

==> by anonymous peername.ip=10.0.0.253 read

I don't think that's valid syntax because you have two <who> clauses, anonymous and peername.ip. Try only by peername.ip="10.0.0.253 read" without "anonymous". I'd expect something like this to show up on "slaptest -d acl". If you want additive "anonymous and peername.ip" behavior see "<control>" directives.


I didn't read the ACLs thoroughly to see if they'd work with this change, but it's a starting point...




---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.


are there any other acl(s) ahed of or prior to to the IP acl that might be blocking access? ordering is very important.


_Terry






Hello.

I joined with this mail the acl file.

Thank you for your help.

--
Emmanuel


---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.

# Define global ACLs to disable default read access for dc=femto-st,dc=org,dc=fr.

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access to user password
#               Allow anonymous users to authenticate
#               Allow read access to everything else
#       Directives needed to implement policy:

# Quelques ACLs generales
access to attrs=userPassword
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
	by anonymous auth
	by self read
	by * none

# ACL pour la gestion du courrier
access to attrs=mailAlternateAddress,accountStatus,mailMessageStore
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
	by dn="cn=mail,ou=DSA,dc=femto-st,dc=org" read
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
	by self read
	by users read
	by * none

# ACL pour un acces anonyme  
access to attrs=mail,telephoneNumber,roomNumber,displayName,cn,sn,givenName
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
	by dn="cn=mail,ou=DSA,dc=femto-st,dc=org" read
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
	by self read
	by users read
	by anonymous peername.ip=10.0.0.253 read
	by * none

# ACL pour siteweb
access to attrs=uid
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
	by dn="cn=siteweb,ou=DSA,dc=femto-st,dc=org" read
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
	by self read
	by users read
	by * none

# acces a l'OU=1 pour le LPMO
access to dn.children="ou=1,dc=femto-st,dc=org"
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
	by dn="cn=lpmo,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
	by users read
	by * none 

# acces a l'OU=2 pour le LOPMD
access to dn.children="ou=2,dc=femto-st,dc=org"
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
	by dn="cn=lopmd,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
	by users read
	by * none 

# acces a l'OU=3 pour le LMARC
access to dn.children="ou=3,dc=femto-st,dc=org"
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
	by dn="cn=lmarc,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
	by users read
	by * none 

# acces a l'OU=4 pour le LCEP
access to dn.children="ou=4,dc=femto-st,dc=org"
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
	by dn="cn=lcep,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
	by users read
	by * none 

# acces a l'OU=5 pour le CREST
access to dn.children="ou=5,dc=femto-st,dc=org"
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
	by dn="cn=crest,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
	by users read
	by * none 

# acces a l'OU=6 pour le FEMTO-ST Administration centrale
access to dn.children="ou=6,dc=femto-st,dc=org"
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
	by dn="cn=femto,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
	by users read
	by * none 

# this can be omitted but we leave it: there could be other branch
# in the directory
access to *
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
	by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
	by * none

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!