[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: allowing anonymous binds from a specific machine

To: John Dalbec <jpdalbec@cc.ysu.edu>
Subject: Re: allowing anonymous binds from a specific machine
From: Jan-Michael Ong <jmong@adobe.com>
Date: Wed, 19 Dec 2001 13:36:17 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3C20FB63.68B90F71@cc.ysu.edu>
References: <3C20F12F.C3DAFD4A@cc.ysu.edu>

I've done the following before and that worked for me

access to *
  by peername="ip:xxx\.yyy\.zzz\.zz[123]:*" read

try that and see if it works. The format for most binds are (at least from what I can see in the logs are):

Dec 19 02:10:42 myserver slapd[23087]: daemon: conn=0 fd=10 connection from IP=111.122.13.5:23833 (IP=0.0.0.0:0) accepted.

notice the socket number? so I think that should work

good luck

jm

At 03:41 PM 12/19/2001 -0500, you wrote:

OK, I thought I was having success but then (at least on the LDAP server) things started to break and I had to revert to universal read access. I'm running nss_ldap and nscd. I wonder whether they might communicate over UNIX sockets. Is there a peername setting for UNIX sockets? Thanks, John Dalbec

John Dalbec wrote: > > I have a group of 3 machines with a single LDAP server. I needed to restrict > access from outside but allow anonymous binds from within the group. I had > success with > access to * > ... > by * peername = "IP:127\.0\.0\.1" read > by * peername = "IP:xxx\.yyy\.zzz\.aa[123]" read > ... > The "*" before peername is required!

References:
- allowing anonymous binds from a specific machine
  - From: John Dalbec <jpdalbec@cc.ysu.edu>
- Re: allowing anonymous binds from a specific machine
  - From: John Dalbec <jpdalbec@cc.ysu.edu>

Prev by Date: Re: allowing anonymous binds from a specific machine
Next by Date: binding anonymously when slave tries to replicate
Index(es):
- Chronological
- Thread