Jason Joines wrote:
I have this ACL in place at the moment and have TLS and ldapi working.
access to attr=userPassword
by self write
by anonymous auth
by * none
access to attr=sambaNTPassword
by self write
by anonymous auth
by * none
access to attr=sambaLMPassword
by self write
by anonymous auth
by * none
I think this way is tree times faster
access to attr=sambaLMPassword,sambaNTPassword,userPassword
by self write
by anonymous auth
by * none
access to *
by * read
Now I need to add some additional controls.
(1) I want local access via the socket /var/run/slapd/ldapi with no
encryption required.
(2) I want access from hosts in a private subnet is to be the same, no
encryption required, say from 172.19.1.0/27.
(for openldap 2.2.x)
add "by peername.ip=172.19.1.0%255.255.255.128 ssf=0 read|write|whatever_you_want
(3) I want access from hosts in several public subnets but require
encryption, say 172.19.2.0/23, 172.19.6.0/22, and 172.19.11.0/24.
add "by peername.ip=172.19.1.0%255.255.255.128 ssf=56 read|write|whatever_you_want
(4) I want access from everywhere else to be denied.
the last acl must be "access to * by * none"
I've read slapd.access and see sockname, sockurl, peer, ssf_tls,
ssf_transport and lots of other options that look like they can be
combined to accomplish this. I've searched Google, this list, and the
FAQ-O-Matic for examples but still don't have much idea how to get started.
Any assistance would be appreciated.
Thanks,
Jason Joines
=================================