[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL by IP



Daniel Tiefnig wrote:
> 
> Pierangelo Masarati wrote:
> 
> > access to *
> >   by peername.exact='ip=11.22.33.44" write
>                       ^              ^
> uhm, a typo, isn't it?

:)

> 
> and i've a qestion about ACLs.. entity matching is still only done via
> regex..(?) did you guys ever think of implementing smth. like subnet
> mask matching for IPs? that would simplify ACLs in many cases, and
> therefor likely speed up things as well..

There's something like that in HEAD for the domain ACL, that is the
subtree match has been implemented to avoid using regex to allow, say,
access to a subnet:

access to *
	by domain.subtree="polimi.it" read

which also allows submatches like

access to dn.regex=".*dc=([^,]+),dc=it$"
	by domain.subtree,expand="$1.it" read

This is experimental.

Subnet mask might be an interesting evolution; note that all of this,
at least in my opinion and from my personal experience, should not be
used instead of appropriate authentication. 

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati