[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
access control questions
Hi,
I've compiled and installed openldap 2.07 and I'm having reasonable
success with it (testing only).
1. I managed to hack the migration tools from the 1.x rpm version to
create an ldif of etc/password and group and used slapadd to build the
ldbm. It seems the schema has changed somewhat. Is there a new set of
migration tools for 2.07?
2. If I configure the build of openldap with --enable-wrappers, how do I
use this feature? I've seen some discussioin on the list about having to
add 12 lines to inetd.conf to make it work. This doesn't sound right to
me. I'd like to be able to limit access to the server to a class C
subnet. which brings up the next question...
3. I tried using the addr=xxx.xxx.xxx.xxx in the by clause and slapd won't
even start. If I comment it out, slapd starts but won't return any
search info. I have to eliminate the line completely. here's my
slapd.conf (trying to limit access to one host, names and numbers have
been changed for security) and the error I get starting slapd when using
the addr rule...
==========================================================
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26 17:06:18 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
loglevel 320
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "o=myldap"
rootdn "cn=manager,o=myldap"
rootpw secret
# cleartext passwords, especially for the rootdn, should
# be avoid. See slapd.conf(5) for details.
directory /usr/local/var/openldap-ldbm/
access to attr=userpassword
by self write
by dn="cn=manager,o=myldap" write
by * compare
access to attr=uidNumber,attr=gidNumber
by dn="cn=manager,o=myldap" write
by addr="123.456.789.123"
by * none
access to *
by self write
by dn="cn=manager,o=myldap" write
by addr="123.456.789.123"
by * none
access to * by * none
# Indices to maintain
#index objectClass eq
============================================================================
Starting ldap: /usr/local/etc/openldap/slapd.conf: line 49: expecting
<access> got "addr=123.456.789.123"
<access clause> ::= access to <what> [ by <who> <access> <control> ]+
<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]
<attrlist> ::= <attr> | <attr> , <attrlist>
<attr> ::= <attrname> | entry | children
<who> ::= [ * | anonymous | users | self | dn=<regex> ]
[dnattr=<attrname>]
[group[/<objectclass>[/<attrname>]]=<regex>]
[peername=<regex>] [sockname=<regex>]
[domain=<regex>] [sockurl=<regex>]
[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
<access> ::= [self]{<level>|<priv>}
<level> ::= none | auth | compare | search | read | write
<priv> ::= {=|+|-}{w|r|s|c|x}+
<control> ::= [ stop | continue | break ]
Thanks,
--
John S. Weber
System Administrator
Center for Computational Mathematics
University of Colorado at Denver
Phone: (303)556-5394 Fax: (303)556-8550
jweber@math.cudenver.edu
http://www-math.cudenver.edu/~jweber