[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs: 'and' clause in ACLs

To: "Fabio Spelta" <spelta@linux.it>
Subject: Re: ACLs: 'and' clause in ACLs
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 9 Nov 2004 12:21:09 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <41909F48.7090309@linux.it>
References: <41909F48.7090309@linux.it>
User-agent: SquirrelMail/1.4.3a-1

> Hi list, and thanks for reading.
>
> I am wondering if it is possible to join two rules in a "who" field of
> an ACL, in a way so both *must* match for granting the associated
> permission.
> What I need is allowing certain write and read access only to users that
> are authenticated with a certain dn, AND from a defined IP (peername).
>
> Is that possible, and how?

Yes.  See the "<control>" field in slapd.access(5); for example (RE22/HEAD):

access to *
    by dn.exact="cn=foo" =rw continue
    by peername.ip="127.0.0.1" +0 stop
    by * auth

gives "rw" (read + write) access to "cn=foo", and confirms it if the
request comes from "127.0.0.1" (the "break" is redundant, of course);
otherwise, privileges are reset to "auth", which applies to "*".

Ciao, p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: ACLs: 'and' clause in ACLs
  - From: Fabio Spelta <spelta@linux.it>

References:
- ACLs: "and" clause in ACLs
  - From: Fabio Spelta <spelta@linux.it>

Prev by Date: Re: Subordinate ACL question
Next by Date: Re: Subordinate ACL question
Index(es):
- Chronological
- Thread