[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL troubles

To: Jonathan Clarke <jclarke@linagora.com>
Subject: Re: ACL troubles
From: Julien Garnier <julien.garnier@dr13.cnrs.fr>
Date: Fri, 28 Mar 2008 15:59:21 +0100
Cc: OpenLDAP <openldap-software@openldap.org>
In-reply-to: <47ED00E7.9070400@linagora.com>
References: <47ECCD6C.80805@dr13.cnrs.fr> <47ED00E7.9070400@linagora.com>
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

Jonathan Clarke a Ãcrit :

Hi Julien,

Julien Garnier a Ãcrit :

Hi,

I have some problems to configure my aACL's and hope someone can help me.

I want all my local subnet (A.A.A.x) have entire read acces, It's OK.
I want some IP have acces only to one search : for example, I want that
IP1 B.B.B.B can only do this search and that any other search return
error :
ldapsearch -x -b "ou=people,ou=compagnie,ou=com"  "(ou=DIV1*)" -LLL

I don't find how to configure that.
I've tried :

access to dn.base=""
       by peername.regex="IP=A\.A\.A\..+" read
       by peername.regex="IP=127\.0\.0\.1" read
       by * none


access to dn.sub="ou=people,ou=compagnie,ou=com"
       filter=(ou=DIV1*)
       by peername.regex="IP=B\.B\.B\.B" read
       by * none

but dosn't work, I have an insufficient acces 50 error.


AFAIK, you can't limit search rights depending on the filter used in the
search. The syntax you have above limits read access to all entries that
correspond to the "ou=DIV1*" filter.

You have an "insufficient access" error because you are trying to search
based on "ou=people", but don't have the right to (because ou=people
doesn't match "ou=DIV1*").

To get closer to what you want, you could try this:

access to dn.sub="ou=people,ou=compagnie,ou=com" attrs=ou
	by peername.regex="IP=B\.B\.B\.B" search
	by peername.regex="IP=A\.A\.A\..+" read
	by * break

access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*)
	by peername.regex="IP=B\.B\.B\.B" read
	by peername.regex="IP=A\.A\.A\..+" read
	by * none

access to *
	by peername.regex="IP=A\.A\.A\..+" read

This way, IP B.B.B.B can search through ou=people, and only read entries
that match the "ou=DIV1*" filter. They will also be allowed to perform
any search using the "ou" attribute, but the only results will match
"ou=DIV1*".

Hope this helps.

Regards, Jonathan

Hi Jonathan,

Thanks for your help !
I juste set the ACL with this config and seems to work :

access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*)
	by peername.regex="IP=B\.B\.B\.B" read
	by peername.regex="IP=A\.A\.A\..+" read

access to *
	by peername.regex="IP=A\.A\.A\..+" read	
	by * none


My user is limited to the search

ldapsearch -x -b "ou=people,ou=compagnie,ou=com"  "(ou=DIV1*)"

Any other search return insufficient access

Julien

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- ACL troubles
  - From: Julien Garnier <julien.garnier@dr13.cnrs.fr>
- Re: ACL troubles
  - From: Jonathan Clarke <jclarke@linagora.com>

Prev by Date: Re: ACL troubles
Next by Date: ACL for members of PosixGroup?
Index(es):
- Chronological
- Thread