[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to bind groups from a IP

I don't know what is the problem, but with your suggestion should run well, but it doesn't.
I have tried both ways.
My LDAP server is:

dc=tel,dc=uva,dc=es
    cn=root
    ou=users
            uid=dpercam(GID=1002)
            uid=caralo(GID=1001)
    ou=groups
            cn=profesores(gidNumber=1001)
            cn=alumnos(gidNumber=1002)

Do I have to include something more in the sentences below??

Thanks you!



From: Pierangelo Masarati <ando@sys-net.it>
To: Daniel Pérez del Campo <dpercam@hotmail.com>
CC: openldap-software@openldap.org
Subject: Re: ACL to bind groups from a IP
Date: Tue, 23 Oct 2007 18:07:02 +0200

Daniel Pérez del Campo wrote:
> I have read all that you suggested to me. I have this ACL:
>
> access to attrs=userPassword
>     by peername.ip=192.168.70.133 write
>     by * none
>
> With this, the users can bind from this IP, but I can't include
> groups,or something about users that have GID=1000, for example.

slapd.access(5) clearly states that "by" clauses can be ANDed by simply
setting more than one.  For example

access to attrs=userPassword
    by peername.ip=192.168.70.133 group="cn=Profesores" write

If you want to get to allowing access based on the **contents** of the
entry the client is binding as, I fear you need to use sets; in that
case, you need to learn sets' syntax
(http://www.openldap.org/faq/data/cache/1133.html); something like

access to attrs=userPassword
    by peername.ip=192.168.70.133 set="user/gidNumber & 1000" write

p,



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------



_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger: http://messenger.latam.msn.com/