[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: logical "AND" in slapd acl statement?

Aaron Bennett wrote:

I'm sorry if this is a stupid question or one that's asked here often, but...

I need to grant access to a few attributes to a specific dn, but ideally ALSO only if that DN is coming from a specific ip range.

What I want to something like...

access to attrs=myAttribute
by ( peername.ip='" AND dn = "cn=me,ou=us,dc=myco,dc=com" ) read

I was pretty surprised that what I had above didn't work, and reading the man 5 slapd.access it seems like it might not be possible. Am I missing something? Is it actually possible to do this?

ACL semantics is not extremely flexible, but to some extent it allows to implement what you need in an extremely simple manner:

access to attrs=myAttribute
    by peername.ip=""
       dn="cn=me,ou=us,dc=myco,dc=com" read

(alignment is only to avoid random line wrapping). Basically, within a single "by" clause you can add as many criteria as you like, as soon as only one per type is provided (namely, you cannot have two "peername" criteria). They are all AND-ed. Also, note that the order in which they are provided does not really matter, since they are evaluated as hardcoded in the related functions.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it