[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL: Combining domain and other <who> directives?
Pierangelo Masarati wrote:
>
> Marian Steinbach wrote:
> >
> > Hello!
> >
> > After digging into the admin guide and FAQmatic I am not yet aware of
> > how to solve this problem:
> >
> > I only want to allow access to an OpenLDAP 2 server from one domain.
> > Within that domain, some other <who> directives are important in order
> > to allow different access from none to write. Maybe I am suffering from
> > total misconception, but I am just missing boolean operators like "NOT"
> > operator or an "AND", that's why I cant formulate the rules in OpenLDAP
> > lingo.
> >
> > In pseudo code, this is what I am after:
> >
> > access to *
> > if (domain == .*.domain.tld) {
> > if (self) {
> > write
> > }
> > elseif (users) {
> > read
> > }
> > }
> > else {
> > no access at all.
> > }
> >
> > Can anybody help out here?
Actually, this should work (tested against HEAD):
# reject accesses from unwanted domains; otherwise
# try following rules ("write" here is only to
# give the most liberal access; the actual access
# will be determined by the following rules)
access to *
by domain=".*\.domain\.tld" write break
by * none
# need this for binding (note that above rule denies
# bind from undesired domains as well)
access to attrs=userPassword
by self write
by * auth
# access to anything else
access to *
by self write
by users read
by * none
I still recommend iptables/ipchains (or at least
tcpwrappers) because of efficiency and security
concerns: they check access well ahead of slapd.
Pierangelo.
--
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy |
http://www.aero.polimi.it/~masarati