[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
peername + openldap 2.2.4
Trying to restrict access to Openldap server (v2.2.4 running under Solaris
8) to 139.184.0.0/16 with this acl ...
access to *
by peername="139.184.*.*" read
by peername="IP=127\.0\.0\.1:*" read
by users ssf=112 tls_ssf=112 read
by * none
... but this appears to be denying access to any client - log follows.
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 971074
local4.debug] => acl_mask: access to entry "uid=dml,ou=Mail,o=University of
Sussex", attr "uid" requested
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 488679
local4.debug] => acl_mask: to value by "", (=n)
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 919802
local4.debug] <= check a_peername_path: 139.184.*.*
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 919802
local4.debug] <= check a_peername_path: IP=127.0.0.1:*
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 704950
local4.debug] <= check a_dn_pat: users
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 704950
local4.debug] <= check a_dn_pat: *
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 279303
local4.debug] <= acl_mask: [4] applying none(=n) (stop)
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 804284
local4.debug] <= acl_mask: [4] mask: none(=n)
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 384072
local4.debug] => access_allowed: search access denied by none(=n)
The same peername line works on a v2.1.22 server, as does reverse
lookup/domain matching (also failing under 2.2.4). All of this makes me
think that I've missed something in the configuration/compile maybe. Config
options were ...
./configure \
--prefix=/local/openldap-2.2.4 \
--with-tls=openssl \
--with-openssl \
--enable-rlookups \
--enable-ldbm \
--enable-crypt \
--enable-monitor \
--disable-bdb \
--sysconfdir=/etc \
--localstatedir=/var
Dave
--
Dave Lewney
Principal Systems Programmer, IT Services
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956
- References:
- acl fun
- From: Craig White <craigwhite@azapple.com>