[Date Prev][Date Next] [Chronological] [Thread] [Top]

access control questions



Hi,

I've compiled and installed openldap 2.07 and I'm having reasonable
success with it (testing only).

1. I managed to hack the migration tools from the 1.x rpm version to
create an ldif of etc/password and group and used slapadd to build the
ldbm. It seems the schema has changed somewhat. Is there a new set of
migration tools for 2.07?

2. If I configure the build of openldap with --enable-wrappers, how do I
use this feature? I've seen some discussioin on the list about having to
add 12 lines to inetd.conf to make it work. This doesn't sound right to
me. I'd like to be able to limit access to the server to a class C
subnet. which brings up the next question...

3. I tried using the addr=xxx.xxx.xxx.xxx in the by clause and slapd won't
even start. If I comment it out, slapd starts but won't return any
search info. I have to eliminate the line completely. here's my
slapd.conf (trying to limit access to one host, names and numbers have
been changed for security) and the error I get starting slapd when using
the addr rule...

==========================================================
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26 17:06:18 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

loglevel 320

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
suffix          "o=myldap"
rootdn          "cn=manager,o=myldap"
rootpw          secret
# cleartext passwords, especially for the rootdn, should
# be avoid.  See slapd.conf(5) for details.
directory       /usr/local/var/openldap-ldbm/

access to  attr=userpassword
       by  self        write
       by  dn="cn=manager,o=myldap"  write
       by  *           compare
access to  attr=uidNumber,attr=gidNumber
       by  dn="cn=manager,o=myldap"  write
       by  addr="123.456.789.123"
       by  *       none
access to *
       by self        write
       by  dn="cn=manager,o=myldap"  write
       by  addr="123.456.789.123"
       by   *  none
access to * by * none

# Indices to maintain
#index  objectClass     eq
 
============================================================================

Starting ldap: /usr/local/etc/openldap/slapd.conf: line 49: expecting
<access> got "addr=123.456.789.123"

<access clause> ::= access to <what> [ by <who> <access> <control> ]+ 
<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]
<attrlist> ::= <attr> | <attr> , <attrlist>
<attr> ::= <attrname> | entry | children
<who> ::= [ * | anonymous | users | self | dn=<regex> ]
        [dnattr=<attrname>]
        [group[/<objectclass>[/<attrname>]]=<regex>]
        [peername=<regex>] [sockname=<regex>]
        [domain=<regex>] [sockurl=<regex>]
        [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
<access> ::= [self]{<level>|<priv>}
<level> ::= none | auth | compare | search | read | write
<priv> ::= {=|+|-}{w|r|s|c|x}+
<control> ::= [ stop | continue | break ]

Thanks,

 -- 
John S. Weber

System Administrator
Center for Computational Mathematics
University of Colorado at Denver
Phone: (303)556-5394 Fax: (303)556-8550
jweber@math.cudenver.edu
http://www-math.cudenver.edu/~jweber