[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Challenge With Access Control

On 05/07/07, Brian Gaber <Brian.Gaber@pwgsc.gc.ca> wrote:

Hope someone can explain this to me. I am sure it is very trivial. I have a primary LDAP server (, a replica LDAP server ( and a few clients all with a 10.16.13.x address.

Here is the access control I thought would work:

access  to *
  by self write
  by peername= write
  by peername= read
  by peername= read
  by peername= read
  by peername= read
  by peername= read

Here is what does work:

access to *
  by self write
  by peername.ip= write
  by * read

        By work I mean that when I am on the replica ( and issue
an ldapsearch to itself I get a 32 no such object with the top access, but I
get the expected result with the bottom access.

I am not 100% sure, but maybe this will help you (I am using similar ACL). AFAIR in the peername you need to add the "IP=" - but I don't really remember, please correct me. The regex matching directive that works for me looks like this:

by peername.regex="IP=10\.10\.120\..+" read

Then you could try:

by peername.regex="IP=10\.16\.13\.8[1-6]" read

And please double check if you need to supply the "IP=" for
the "by peername" without regex.
The regex solution will not conflict with the first entry as write
permission includes reading (and ACL parsing stops on the first
matched rule).

Hope this helps.


Brian Gaber