Re: logical "AND" in slapd acl statement?

[Pierangelo Masarati <ando@sys-net.it>]

Aaron Bennett wrote:
> Hi,
>
> I'm sorry if this is a stupid question or one that's asked here often, 
> but...
>
> I need to grant access to a few attributes to a specific dn, but ideally 
> ALSO only if that DN is coming from a specific ip range.
>
> What I want to something like...
>
> access to attrs=myAttribute
>    by ( peername.ip='192.168.1.0%255.255.255.0" AND dn = 
> "cn=me,ou=us,dc=myco,dc=com" ) read
>
> I was pretty surprised that what I had above didn't work, and reading 
> the man 5 slapd.access it seems like it might not be possible.  Am I 
> missing something?  Is it actually possible to do this?

ACL semantics is not extremely flexible, but to some extent it allows to 
implement what you need in an extremely simple manner:

access to attrs=myAttribute
    by peername.ip="192.168.1.0%255.255.255.0"
       dn="cn=me,ou=us,dc=myco,dc=com" read

(alignment is only to avoid random line wrapping).  Basically, within a 
single "by" clause you can add as many criteria as you like, as soon as 
only one per type is provided (namely, you cannot have two "peername" 
criteria).  They are all AND-ed.  Also, note that the order in which 
they are provided does not really matter, since they are evaluated as 
hardcoded in the related functions.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it
-----------------------------------