[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs: restrict by IP and user
On Wed, 27 Apr 2016, Janne Peltonen wrote:
Hi!
I was thinking about giving the users a different set of their own
attributes, depending on whether they accessed the server from a
well-known IP address or not. Is this possible using OpenLDAP? I know
how to form a WHO clause to grant access to self; I know how to form a
WHO clause to grant access from a certain IP address; what I don't know
is how to grant access to "self if and only if it hails from a certain
IP address", i.e. so that the given rights would require both that we're
considering "self" and "IP address" at the same time, but if either
doesn't match, then the clause wouldn't apply.
Yes, this should be possible, something along the lines of:
access to attrs=somethingPrivate
by self none break
by * none
access to attrs=somethingPrivate
by peername.ip="1.2.3.0%255.255.255.0" write
by * none
I'be glad if anybody could provide any help upon this. Also a simple "can't be
done" would be appreciated.
--Janne Peltonen
University of Helsinki