[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL troubles

To: Julien Garnier <julien.garnier@dr13.cnrs.fr>
Subject: Re: ACL troubles
From: Jonathan Clarke <jclarke@linagora.com>
Date: Fri, 28 Mar 2008 15:29:59 +0100
Cc: OpenLDAP <openldap-software@openldap.org>
In-reply-to: <47ECCD6C.80805@dr13.cnrs.fr>
Organization: Linagora
References: <47ECCD6C.80805@dr13.cnrs.fr>
User-agent: Thunderbird 2.0.0.12 (X11/20080227)

Hi Julien,

Julien Garnier a Ãcrit :
> Hi,
> 
> I have some problems to configure my aACL's and hope someone can help me.
> 
> I want all my local subnet (A.A.A.x) have entire read acces, It's OK.
> I want some IP have acces only to one search : for example, I want that
> IP1 B.B.B.B can only do this search and that any other search return
> error :
> ldapsearch -x -b "ou=people,ou=compagnie,ou=com"  "(ou=DIV1*)" -LLL
> 
> I don't find how to configure that.
> I've tried :
> 
> access to dn.base=""
>        by peername.regex="IP=A\.A\.A\..+" read
>        by peername.regex="IP=127\.0\.0\.1" read
>        by * none
> 
> 
> access to dn.sub="ou=people,ou=compagnie,ou=com"
>        filter=(ou=DIV1*)
>        by peername.regex="IP=B\.B\.B\.B" read
>        by * none
> 
> but dosn't work, I have an insufficient acces 50 error.

AFAIK, you can't limit search rights depending on the filter used in the
search. The syntax you have above limits read access to all entries that
correspond to the "ou=DIV1*" filter.

You have an "insufficient access" error because you are trying to search
based on "ou=people", but don't have the right to (because ou=people
doesn't match "ou=DIV1*").

To get closer to what you want, you could try this:

access to dn.sub="ou=people,ou=compagnie,ou=com" attrs=ou
	by peername.regex="IP=B\.B\.B\.B" search
	by peername.regex="IP=A\.A\.A\..+" read
	by * break

access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*)
	by peername.regex="IP=B\.B\.B\.B" read
	by peername.regex="IP=A\.A\.A\..+" read
	by * none

access to *
	by peername.regex="IP=A\.A\.A\..+" read

This way, IP B.B.B.B can search through ou=people, and only read entries
that match the "ou=DIV1*" filter. They will also be allowed to perform
any search using the "ou" attribute, but the only results will match
"ou=DIV1*".

Hope this helps.

Regards,
Jonathan
-- 
Jonathan Clarke

Open Source Software Assurance (OSSA) - Groupe LINAGORA
27 rue de Berri, 75008 Paris
TÃl: 01 58 18 68 28, fax: 01 58 18 68 29
http://www.linagora.com - http://www.08000linux.com

Follow-Ups:
- Re: ACL troubles
  - From: Julien Garnier <julien.garnier@dr13.cnrs.fr>

References:
- ACL troubles
  - From: Julien Garnier <julien.garnier@dr13.cnrs.fr>

Prev by Date: ACL troubles
Next by Date: Re: ACL troubles
Index(es):
- Chronological
- Thread