Re: ACL troubles

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Julien Garnier writes:
> access to dn.base=""
>         by peername.regex="IP=A\.A\.A\..+" read
>         by peername.regex="IP=127\.0\.0\.1" read
>         by * none

This only sets the access to the entry named "", i.e. the automatically
generated entry which the server itself.  Doesn't sound like that is
what you wants.

> access to dn.sub="ou=people,ou=compagnie,ou=com"
>         filter=(ou=DIV1*)

This sets access to all entries in the people subtree which
contain an 'ou' attribute starting with "DIV1".  It doesn't say
which filter people are allowed to use.

>         by peername.regex="IP=B\.B\.B\.B" read
>         by * none

You don't give people at A.A.A.* any access to this subtree.

Read man slapd.access(5).  It sounds like what you need is something
like this:

# hide userPassword, but allow anyone in the related IPs to log in
access to attrs=userPassword
	by peername.ip=A.A.A.0%255.255.255.0 auth
	by peername.ip=127.0.0.1 auth
	by peername.ip=B.B.B.B auth
	by * none

# allow everyone locally read access to everything else, and no access
# for others but continue checking other access statements for people at
# B.B.B.B
access to *
	by peername.ip=A.A.A.0%255.255.255.0 read
	by peername.ip=127.0.0.1 read
	by peername.ip=B.B.B.B none break
	by * none

# access for folks at B.B.B.B....

# allow them to search with this baseDN
access to dn.exact="ou=people,ou=compagnie,ou=com" attrs=entry =s

# allow them to find entries in this subtree matching this filter,
# and nothing else:
access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*)
	by * none break
	by * none

# allow them to search for and read 'ou' (though they can also list
# all allowed entry by searching with the "true" filter "(&)":
access to attrs=ou by * =sr

# allow them to read everything they find
access to attrs=* by * =r

-- 
Hallvard