[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: adding access location and method to an ACL



José M. Fandiño wrote:
Jason Joines wrote:
   I have this ACL in place at the moment and have TLS and ldapi working.

access to attr=userPassword
 by self write
 by anonymous auth
 by * none

access to attr=sambaNTPassword
 by self write
 by anonymous auth
 by * none

access to attr=sambaLMPassword
by self write
by anonymous auth
by * none

I think this way is tree times faster access to attr=sambaLMPassword,sambaNTPassword,userPassword
by self write
by anonymous auth
by * none


access to *
 by * read

Now I need to add some additional controls.
(1) I want local access via the socket /var/run/slapd/ldapi with no
encryption required.
(2) I want access from hosts in a private subnet is to be the same, no
encryption required, say from 172.19.1.0/27.

(for openldap 2.2.x)

add "by peername.ip=172.19.1.0%255.255.255.128 ssf=0 read|write|whatever_you_want

(3) I want access from hosts in several public subnets but require
encryption, say 172.19.2.0/23, 172.19.6.0/22, and 172.19.11.0/24.

add "by peername.ip=172.19.1.0%255.255.255.128 ssf=56 read|write|whatever_you_want

(4) I want access from everywhere else to be denied.

the last acl must be "access to * by * none"

   I've read slapd.access and see sockname, sockurl, peer, ssf_tls,
ssf_transport and lots of other options that look like they can be
combined to accomplish this.  I've searched Google, this list, and the
FAQ-O-Matic for examples but still don't have much idea how to get started.

   Any assistance would be appreciated.

Thanks,

Jason Joines
=================================

I'm not sure what order the rules get checked so I'm not sure where to stick the extra "by" clauses. Would it look like this?


access to attr=sambaLMPassword,sambaNTPassword,userPassword
 by peername.path=/var/run/slapd/ldapi ssf=0
 by peername.ip=172.19.1.0%255.255.255.128 ssf=0
 by peername.ip=172.19.2.0%255.255.255.0 ssf=128
 by peername.ip=172.19.3.0%255.255.255.0 ssf=128
 by peername.ip=172.19.9.0%255.255.255.0
 by self write
 by anonymous auth
 by * none

Or does it need to be in a different order or is there some way to combine them with ANDs or ORs?

Jason
===========