Re: ACL: Combining domain and other <who> directives?

[Pierangelo Masarati <masarati@aero.polimi.it>]

Pierangelo Masarati wrote:
> 
> Marian Steinbach wrote:
> >
> > Hello!
> >
> > After digging into the admin guide and FAQmatic I am not yet aware of
> > how to solve this problem:
> >
> > I only want to allow access to an OpenLDAP 2 server from one domain.
> > Within that domain, some other <who> directives are important in order
> > to allow different access from none to write. Maybe I am suffering from
> > total misconception, but I am just missing boolean operators like "NOT"
> > operator or an "AND", that's why I cant formulate the rules in OpenLDAP
> > lingo.
> >
> > In pseudo code, this is what I am after:
> >
> > access to *
> >   if (domain ==  .*.domain.tld) {
> >       if (self) {
> >         write
> >       }
> >       elseif (users) {
> >         read
> >       }
> >   }
> >   else {
> >       no access at all.
> >   }
> >
> > Can anybody help out here?


Actually, this should work (tested against HEAD):

# reject accesses from unwanted domains; otherwise
# try following rules ("write" here is only to
# give the most liberal access; the actual access 
# will be determined by the following rules)
access to *
        by domain=".*\.domain\.tld" write break
        by * none

# need this for binding (note that above rule denies 
# bind from undesired domains as well)
access to attrs=userPassword
        by self write
        by * auth

# access to anything else
access to *
        by self write
        by users read
        by * none

I still recommend iptables/ipchains (or at least 
tcpwrappers) because of efficiency and security 
concerns: they check access well ahead of slapd.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati