[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP: ACLs using sockname and DN?
Qanah, hello.
On 22 Mar 2018, at 14:04, Quanah Gibson-Mount wrote:
Hi Norman,
sockname.exact="/var/run/openldap/ldapi"
write
ITS#3050 has an example of using both sockname and sockurl in an ACL.
I'll see about having an example added to the admin guide.
<http://www.openldap.org/its/index.cgi/?findid=3050>
Ah, many thanks.
I've just confirmed that
by dn.base="uid=pwreset,ou=service,dc=example,dc=edu"
sockname.exact="PATH=/var/run/openldap/ldapi"
=dxw
...does indeed work: the uid=pwreset DN does have write access with -H
ldapi:///, but doesn't have that access when connecting over the
network.
Looking again at the relevant paragraph in the slapd.access(5) manpage,
I read it as indicating that the `PATH=<path>` syntax applies only to
`peername`, and that `sockname` should have 'the named pipe file name'.
It might be worth checking that the manpage does still completely
reflect the code.
If that manpage is being revisited, then it would be useful to be
explicit that the various constraints in a <who> stanza are ANDed
together. This might naturally go near the text 'They may be specified
in combination'.
And an example in the admin guide would indeed be most welcome.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk