[Date Prev][Date Next] [Chronological] [Thread] [Top]

peername + openldap 2.2.4



Trying to restrict access to Openldap server (v2.2.4 running under Solaris 8) to 139.184.0.0/16 with this acl ...

access to *
        by peername="139.184.*.*"               read
        by peername="IP=127\.0\.0\.1:*"         read
        by users  ssf=112       tls_ssf=112             read
        by *                            none

... but this appears to be denying access to any client - log follows.

Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=dml,ou=Mail,o=University of Sussex", attr "uid" requested
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 488679 local4.debug] => acl_mask: to value by "", (=n)
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 919802 local4.debug] <= check a_peername_path: 139.184.*.*
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 919802 local4.debug] <= check a_peername_path: IP=127.0.0.1:*
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 704950 local4.debug] <= check a_dn_pat: users
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 704950 local4.debug] <= check a_dn_pat: *
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 279303 local4.debug] <= acl_mask: [4] applying none(=n) (stop)
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 804284 local4.debug] <= acl_mask: [4] mask: none(=n)
Jan 7 08:49:11 firle.central.susx.ac.uk slapd[4429]: [ID 384072 local4.debug] => access_allowed: search access denied by none(=n)


The same peername line works on a v2.1.22 server, as does reverse lookup/domain matching (also failing under 2.2.4). All of this makes me think that I've missed something in the configuration/compile maybe. Config options were ...

./configure \
    --prefix=/local/openldap-2.2.4 \
    --with-tls=openssl \
    --with-openssl \
    --enable-rlookups \
    --enable-ldbm \
    --enable-crypt \
    --enable-monitor \
    --disable-bdb \
    --sysconfdir=/etc \
    --localstatedir=/var


Dave -- Dave Lewney Principal Systems Programmer, IT Services University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956