[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to bind groups from a IP

I don't know what is the problem, but with your suggestion should run well, but it doesn't.
I have tried both ways.
My LDAP server is:


Do I have to include something more in the sentences below??

Thanks you!

From: Pierangelo Masarati <ando@sys-net.it>
To: Daniel Pérez del Campo <dpercam@hotmail.com>
CC: openldap-software@openldap.org
Subject: Re: ACL to bind groups from a IP
Date: Tue, 23 Oct 2007 18:07:02 +0200

Daniel Pérez del Campo wrote:
> I have read all that you suggested to me. I have this ACL:
> access to attrs=userPassword
>     by peername.ip= write
>     by * none
> With this, the users can bind from this IP, but I can't include
> groups,or something about users that have GID=1000, for example.

slapd.access(5) clearly states that "by" clauses can be ANDed by simply
setting more than one.  For example

access to attrs=userPassword
    by peername.ip= group="cn=Profesores" write

If you want to get to allowing access based on the **contents** of the
entry the client is binding as, I fear you need to use sets; in that
case, you need to learn sets' syntax
(http://www.openldap.org/faq/data/cache/1133.html); something like

access to attrs=userPassword
    by peername.ip= set="user/gidNumber & 1000" write


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it

Charla con tus amigos en línea mediante MSN Messenger: http://messenger.latam.msn.com/