Re: peername + openldap 2.2.4

["Pierangelo Masarati" <ando@sys-net.it>]

>
>
> --On Wednesday, January 07, 2004 9:06 AM +0000 Dave Lewney
> <D.M.Lewney@sussex.ac.uk> wrote:
>
>> Trying to restrict access to Openldap server (v2.2.4 running under
>> Solaris 8) to 139.184.0.0/16 with this acl ...
>>
>> access to *
>>          by peername="139.184.*.*"               read
>>          by peername="IP=127\.0\.0\.1:*"         read
>>          by users  ssf=112       tls_ssf=112             read
>>          by *                            none
>
> Hello Dave,
>
> I see the same issue.  I've filed an ITS at the OpenLDAP website
> (ITS#2904).

Works perfectly for me (HEAD, but right now it's exactly
like 2.2.*).  I note that

        peername="139.184.*.*"

is an invalid regex (or, at least, results in a different
behavior from what you likely expect).  Moreover, the default
for unqualified acl patterns is now EXACT rather than REGEX.

Try

        peername.regex="139\.184"

this will surprisingly match the IP you're using.
A rather better solution would be to use

        peername.regex="^IP=139\.184\.*"

Note that EXACT perrname strings make no sense since
the port in most cases would be randomly picked by the OS.

A "peername.ip" style modifier could be interesting,
but a radically better solution would be to use a more
reliable ACL policy than on ebased on the IP of the
client.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it