[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: peername + openldap 2.2.4
>
>
> --On Wednesday, January 07, 2004 9:06 AM +0000 Dave Lewney
> <D.M.Lewney@sussex.ac.uk> wrote:
>
>> Trying to restrict access to Openldap server (v2.2.4 running under
>> Solaris 8) to 139.184.0.0/16 with this acl ...
>>
>> access to *
>> by peername="139.184.*.*" read
>> by peername="IP=127\.0\.0\.1:*" read
>> by users ssf=112 tls_ssf=112 read
>> by * none
>
> Hello Dave,
>
> I see the same issue. I've filed an ITS at the OpenLDAP website
> (ITS#2904).
Works perfectly for me (HEAD, but right now it's exactly
like 2.2.*). I note that
peername="139.184.*.*"
is an invalid regex (or, at least, results in a different
behavior from what you likely expect). Moreover, the default
for unqualified acl patterns is now EXACT rather than REGEX.
Try
peername.regex="139\.184"
this will surprisingly match the IP you're using.
A rather better solution would be to use
peername.regex="^IP=139\.184\.*"
Note that EXACT perrname strings make no sense since
the port in most cases would be randomly picked by the OS.
A "peername.ip" style modifier could be interesting,
but a radically better solution would be to use a more
reliable ACL policy than on ebased on the IP of the
client.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it