[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs with ip control
Quoting "Terry L. Inzauro" <tinzauro@ha-solutions.net>:
aubert@iut-bm.univ-fcomte.fr wrote:
I omitted a detail : it works fine if the command is used with an
authenticated user.
--
Emmanuel Aubert
Quoting Aaron Richton <richton@nbcs.rutgers.edu>:
==> by anonymous peername.ip=10.0.0.253 read
I don't think that's valid syntax because you have two <who> clauses,
anonymous and peername.ip. Try only
by peername.ip="10.0.0.253 read"
without "anonymous". I'd expect something like this to show up on
"slaptest -d acl". If you want additive "anonymous and peername.ip"
behavior see "<control>" directives.
I didn't read the ACLs thoroughly to see if they'd work with this
change, but it's a starting point...
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
are there any other acl(s) ahed of or prior to to the IP acl that
might be blocking access? ordering is very important.
_Terry
Hello.
I joined with this mail the acl file.
Thank you for your help.
--
Emmanuel
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
# Define global ACLs to disable default read access for dc=femto-st,dc=org,dc=fr.
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
# Quelques ACLs generales
access to attrs=userPassword
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by anonymous auth
by self read
by * none
# ACL pour la gestion du courrier
access to attrs=mailAlternateAddress,accountStatus,mailMessageStore
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=mail,ou=DSA,dc=femto-st,dc=org" read
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by self read
by users read
by * none
# ACL pour un acces anonyme
access to attrs=mail,telephoneNumber,roomNumber,displayName,cn,sn,givenName
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=mail,ou=DSA,dc=femto-st,dc=org" read
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by self read
by users read
by anonymous peername.ip=10.0.0.253 read
by * none
# ACL pour siteweb
access to attrs=uid
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=siteweb,ou=DSA,dc=femto-st,dc=org" read
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by self read
by users read
by * none
# acces a l'OU=1 pour le LPMO
access to dn.children="ou=1,dc=femto-st,dc=org"
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=lpmo,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by self read
by users read
by * none
# acces a l'OU=2 pour le LOPMD
access to dn.children="ou=2,dc=femto-st,dc=org"
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=lopmd,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by self read
by users read
by * none
# acces a l'OU=3 pour le LMARC
access to dn.children="ou=3,dc=femto-st,dc=org"
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=lmarc,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by self read
by users read
by * none
# acces a l'OU=4 pour le LCEP
access to dn.children="ou=4,dc=femto-st,dc=org"
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=lcep,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by self read
by users read
by * none
# acces a l'OU=5 pour le CREST
access to dn.children="ou=5,dc=femto-st,dc=org"
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=crest,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by self read
by users read
by * none
# acces a l'OU=6 pour le FEMTO-ST Administration centrale
access to dn.children="ou=6,dc=femto-st,dc=org"
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=femto,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by self read
by users read
by * none
# this can be omitted but we leave it: there could be other branch
# in the directory
access to *
by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
by self read
by users read
by * none
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!