[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Restricting access to certain DNs based on IP address?
Dave Horsfall writes:
> On Mon, 20 Dec 2004, Steve Sobol wrote:
>
>> Is it possible to restrict access to specific DNs based on IP address, for
>> example "ou=public,dc=company,dc=com" is left open to everyone but
>> "ou=private,dc=company,dc=com" is only accessible to people visiting from
>> 192.168.2.0/24?
>
> access to dn.subtree="ou=private,dc=company,dc=com"
> by peername.ip=192.168.2.0%255.255.255.0 read/write/etc
Probably not 'write/etc' - unless everyone at those addresses should
have anonymous write access:-) But for read, that's fine. If you want
more fine-tuned access control below ou=private - e.g. granting someone
write access, you might instead want something like
access to dn.subtree="ou=private,dc=company,dc=com"
by peername.ip=192.168.2.0%255.255.255.0 none break
by * none
as the first statement: It doesn't grant access to anyone, but it stops
access for anyone outside those addresses. The 'break' means that later
access statements will be applied for users at these addresses, so you
can append access statements like e.g.
access to * by self write
by dn.exact=cn=some-administrator write
by * read
Oh, and remember the usual 'access to attrs=userPassword by ssf=128
auth' or something further up, of course.
--
Hallvard