[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL by IP

To: openldap-software@OpenLDAP.org
Subject: Re: ACL by IP
From: Daniel Tiefnig <openldap@qmail.infonova.at>
Date: Tue, 16 Apr 2002 11:02:07 +0200
Organization: INFONOVA
References: <C4A71335-4F09-11D6-9F22-0003938FAD0A@quinnperkins.com> <courier.3CBB0F95.00003C39@mailsrv.aero.polimi.it> <a9gmou$plj$1@qmail.infonova.at> <3CBBE6D8.BF6141DA@aero.polimi.it>

Pierangelo Masarati wrote:
> Daniel Tiefnig wrote:
>> and i've a qestion about ACLs.. entity matching is still only done
>> via regex..(?) did you guys ever think of implementing smth. like
>> subnet mask matching for IPs? that would simplify ACLs in many cases,
>> and therefor likely speed up things as well..
> 
> There's something like that in HEAD for the domain ACL, that is the
> subtree match has been implemented to avoid using regex to allow, say,
> access to a subnet:
> 
> access to *
> by domain.subtree="polimi.it" read
> 
> which also allows submatches like
> 
> access to dn.regex=".*dc=([^,]+),dc=it$"
> by domain.subtree,expand="$1.it" read

hmm.. actually i thought about something more like
access to netmask="195.3.81.64/28"
:o)

> Subnet mask might be an interesting evolution; note that all of this,
> at least in my opinion and from my personal experience, should not be
> used instead of appropriate authentication.

of course not. (though i do..)

g,
daniel
-- 
This may seem a bit weird, but that's okay, because it is weird.
          -- The Perl v5.0 manual page

References:
- ACL by IP
  - From: Quinn Perkins <quinn@quinnperkins.com>
- Re: ACL by IP
  - From: "Pierangelo Masarati" <masarati@aero.polimi.it>
- Re: ACL by IP
  - From: Daniel Tiefnig <openldap@qmail.infonova.at>
- Re: ACL by IP
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: Problem with ACL
Next by Date: Re: acl usage
Index(es):
- Chronological
- Thread