[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: size limit by ip?

> Is it possible to control the size limit based on the ip address?
> man slapd.conf
>        *limits* <*who*> <*limit*> *[*<*limit*> *[...]]
> *The argument *who* can be any of
> 		     anonymous	  |   users   |   [dn[.<style>]=]<pattern>   |
> 		     group[/oc[/at]]=<pattern>
> Which doesn't look like the 'who' can be an ip address,
> but I just want to confirm that is the case (since the 'who' in
> slapd.access support peername.ip and I'm hoping that
> that the underlying code for both 'who's is the same :)

The man page is correct, it's not possible.

> Basically we have software running on a host that is
> unable to authenticate (due to 3rd party software)
> and we need to increase the size limits for queries coming from it,
> without increasing that limit for all anonymous binds.

Your problem sounds general enough to deserve an extension of the limits
"who" clause semantics (I don't see it quite high-priority, though).  In
any case, the modification should be trivial enough.  I suggest you file
an ITS for a feature request.

> Are there alternative ways of doing this?
> Possibly setting up a server with back-ldap running, only allowing
> access from the specific
> ip address and letting the back-ldap server bind to real servers as an
> authorized account?
> Or is there a way to map ip address to an identity that can be used in
> the limits control.

Using idassert-bind with back-ldap would allow to transform an anonymous
connection into an authorized one.  However, the request would then appear
as originating from the DSA instantiating the back-ldap, rather than from
the actual client.

> We're running 2.3.24.

You should definitely upgrade.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it