Full_Name: Pierangelo Masarati Version: HEAD OS: Linux URL: http://www.sys-net.it/~ando/Download/peername-style-improvements.patch Submission from: (NULL) (81.72.89.40) Submitted by: ando This patch provides extended styles for peername which improve the semantics of the ACL clause and provide more efficient means to deal with typical issues (e.g. exact or most significant IP match without dealing with the port and so). See also ITS#2904 p.
changed notes
moved from Incoming to Software Enhancements
The previous patch was missing the new style denumerations in slap.h; this new patch corrects the previous one by eliminating useless subtree and like styles, and introducing masks for IPs: http://www.sys-net.it/~ando/Download/peername-style-improvements-2004-01-08.patch The syntax is described in slapd.access(5) and basically is: peername=<pattern> (the default) tries an exact match, where peername is "IP=<ip>:<port>" or "PATH=<path>" if local. peername.regex=<pattern> is the traditional regex match peername.ip=<ip pattern>[/<mask>] extracts the <ip> part from "IP=<ip>:<port>", applies <mask> and compares with <ip pattern>. If <mask> is not present, an exact match between <ip> and <ip pattern> is attempted. peername.path=<pattern> strips "PATH=" from "PATH=<path>" and performs an exact match of <path> with <pattern>. The distinction between the standard "exact" style and the specialized "ip" and "path" styles is that the former is applied regardless of the type of peername, while the last two are applied only if the peername respectively starts with "IP=" or with "PATH="; moreover, the exact match on "IP=<ip>:<port>" is likely to always fail because there is no way to know the <port> in advance. I don't think there's really need to deal with the <port> portion of "IP=<ip>:<port>"; in case, we could consider adding port ranges in the "ip" style; we could also consider stripping it before exact matching. If there's agreement on this, I'd commit it. p.
resent 2907.reply.1
Yet another version, a bit cleaner and with a revised API: http://www.sys-net.it/~ando/Download/peername-style-improvements-2004-01-09.patch The change is in peername.ip=<ip pattern>[%<mask>][{<port>}] so that the <ip pattern> <mask> separator is a '%', and a port can be specified, enclosed in curly brackets. valid examples are: peername.ip=127.0.0.0%255.255.255.254{9009} which allows connections only from 127.0.0.1 on port 9009 (a bit overkill: peername.ip=127.0.0.1{9009} would do the same :) p.
moved from Software Enhancements to Development
Sorry, the above link has been unavailable for a while due to a typo in its name. I Have fixed it right now. p.
changed notes changed state Open to Test
I have applied this to HEAD, although there's still need to work for IPv6, because I had feedback from users who use peername ACLs and want to use exact or efficient match. Note that the patch link has been broken for a while; also note that slapd.access(5) man page in HEAD and re22 erroneously reported this change as already committed; it's amaazing nobody complains, apparently nobody reads man pages and google didn't report anything about this feature yet. p. -- Dr. Pierangelo Masarati mailto:pierangelo.masarati@sys-net.it LDAP Architect, SysNet s.n.c. http://www.sys-net.it SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
changed notes changed state Test to Release
changed notes changed state Release to Closed
moved from Development to Archive.Development
need to deal with INET6 applied to HEAD/re22