Re: Restricting access to certain DNs based on IP address?

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Dave Horsfall writes:
> On Mon, 20 Dec 2004, Steve Sobol wrote:
>
>> Is it possible to restrict access to specific DNs based on IP address, for
>> example "ou=public,dc=company,dc=com" is left open to everyone but
>> "ou=private,dc=company,dc=com" is only accessible to people visiting from
>> 192.168.2.0/24?
>
>     access to dn.subtree="ou=private,dc=company,dc=com"
> 	by peername.ip=192.168.2.0%255.255.255.0 read/write/etc

Probably not 'write/etc' - unless everyone at those addresses should
have anonymous write access:-)  But for read, that's fine.  If you want
more fine-tuned access control below ou=private - e.g. granting someone
write access, you might instead want something like

      access to dn.subtree="ou=private,dc=company,dc=com"
	by peername.ip=192.168.2.0%255.255.255.0 none break
	by * none

as the first statement: It doesn't grant access to anyone, but it stops
access for anyone outside those addresses.  The 'break' means that later
access statements will be applied for users at these addresses, so you
can append access statements like e.g.

      access to * by self write
                  by dn.exact=cn=some-administrator write
                  by * read

Oh, and remember the usual 'access to attrs=userPassword by ssf=128
auth' or something further up, of course.

-- 
Hallvard