[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs with ip control

To: aubert@iut-bm.univ-fcomte.fr
Subject: Re: ACLs with ip control
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Wed, 12 Jul 2006 14:46:33 -0400 (EDT)
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <20060712163755.2arma1e1ee8gkokg@webmail2.iut-bm.univ-fcomte.fr>
References: <20060712152632.hl5xpgkp1clc0ss0@webmail2.iut-bm.univ-fcomte.fr> <Pine.SOC.4.64.0607120949370.9291@toolbox.rutgers.edu> <20060712163755.2arma1e1ee8gkokg@webmail2.iut-bm.univ-fcomte.fr>

I also run "slaptest -d acl" and it does note mention any error on this line. However, I have a warning "warning: cannot assess the validity of the ACLscope within backend naming context" on line "by * none". Do you know what the reason is ?

All your statements in your first message are "access to *" either implicitly or explicitly. Outside of the root, "*" might not match everything that you'd think it from a casual reading. So if you have (for instance) those statements under a "suffix dc=femto-st,dc=org", slapd is warning you that "access to dn.subtree="dc=femto-st,dc=org"" might be a lot more intuitive to a quick read.

I set up "by anonymous peername.ip=10.0.0.253 read" as I saw it in the opneLDAP FAQ (http://www.openldap.org/faq/index.cgi?file=454). The ANDed setup seem to be allowed.

OK, if that's valid syntax, then try slapd -d acl and see what's actually happening?

Follow-Ups:
- Re: ACLs with ip control
  - From: aubert@iut-bm.univ-fcomte.fr

References:
- ACLs with ip control
  - From: aubert@iut-bm.univ-fcomte.fr
- Re: ACLs with ip control
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: ACLs with ip control
  - From: aubert@iut-bm.univ-fcomte.fr

Prev by Date: Re: best way to selectively hide attributes using ACLs
Next by Date: Re: ACLs with ip control
Index(es):
- Chronological
- Thread