[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs: restrict by IP and user

To: Janne Peltonen <janne.peltonen@helsinki.fi>
Subject: Re: ACLs: restrict by IP and user
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Wed, 27 Apr 2016 12:10:31 -0400 (EDT)
Cc: openldap-technical@openldap.org
In-reply-to: <20160427142343.GC31889@helsinki.fi>
References: <20160427142343.GC31889@helsinki.fi>
User-agent: Alpine 2.02 (SOC 1266 2009-07-14)

On Wed, 27 Apr 2016, Janne Peltonen wrote:

Hi!
I was thinking about giving the users a different set of their ownattributes, depending on whether they accessed the server from awell-known IP address or not. Is this possible using OpenLDAP? I knowhow to form a WHO clause to grant access to self; I know how to form aWHO clause to grant access from a certain IP address; what I don't knowis how to grant access to "self if and only if it hails from a certainIP address", i.e. so that the given rights would require both that we'reconsidering "self" and "IP address" at the same time, but if eitherdoesn't match, then the clause wouldn't apply.


Yes, this should be possible, something along the lines of:

access to attrs=somethingPrivate
	by self none break
	by * none

access to attrs=somethingPrivate
	by peername.ip="1.2.3.0%255.255.255.0" write
	by * none

I'be glad if anybody could provide any help upon this. Also a simple "can't be
done" would be appreciated.


--Janne Peltonen
University of Helsinki

Follow-Ups:
- Re: ACLs: restrict by IP and user
  - From: Janne Peltonen <janne.peltonen@helsinki.fi>

References:
- ACLs: restrict by IP and user
  - From: Janne Peltonen <janne.peltonen@helsinki.fi>

Prev by Date: ACLs: restrict by IP and user
Next by Date: Q: "dn: cn=Uptime,cn=Time,cn=Monitor" non-monotonic occasionally?
Index(es):
- Chronological
- Thread