[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: peername + openldap 2.2.4



Pierangelo Masarati wrote:

--On Wednesday, January 07, 2004 9:06 AM +0000 Dave Lewney <D.M.Lewney@sussex.ac.uk> wrote:


Trying to restrict access to Openldap server (v2.2.4 running under
Solaris 8) to 139.184.0.0/16 with this acl ...

access to *
        by peername="139.184.*.*"               read
        by peername="IP=127\.0\.0\.1:*"         read
        by users  ssf=112       tls_ssf=112             read
        by *                            none

Hello Dave,

I see the same issue.  I've filed an ITS at the OpenLDAP website
(ITS#2904).


Works perfectly for me (HEAD, but right now it's exactly
like 2.2.*).  I note that

        peername="139.184.*.*"

is an invalid regex (or, at least, results in a different
behavior from what you likely expect).  Moreover, the default
for unqualified acl patterns is now EXACT rather than REGEX.
...
> A rather better solution would be to use
> ...
>        peername.regex="^IP=139\.184\.*"

Success! It was the change in the default behaviour (between v2.1 and v2.2) that caused the problem. Thanks to the contributors.

Dave
--
Dave Lewney
Principal Systems Programmer, IT Services
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956