[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Filter a ldap connection for a user comming from an IP source

To: Mik J <mikydevel@yahoo.fr>
Subject: Re: Filter a ldap connection for a user comming from an IP source
From: Kyle Smith <alacer.cogitatus@gmail.com>
Date: Thu, 4 Oct 2012 11:58:30 -0400
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=IZGypBQ+5eS3CRbPKcSxxNvGf3BbVCOw4cIDVJDmozU=; b=GGFfq37oZFuiAbafq6zEnrmM2hC6NCQLmaWFdNzcDhXecLMJtNNYyJ6JlV7xauVIjm i/NzIlbxm7cxJZQUuB6kQI6vQlgK1hly8B2qMBplQA86UpkMO0mqD1Y0gzLIKNzUvtbq vhyaq3xdt5NFGX2iCjAKL/AyFjFuoCiw3+YW62GrhfeeRaZao3k2AsBNckMDXy1shjST m37NBSCLpM66UGim60Rlf5pFxIfdE9mHq2+Lj8l9eLt4Q7YTiAAOANIZxnx+9adkGrH7 F0tXjAopt5mNFAZmf7OXQ1wuPFq2DfonAj7ia/9uSQjcE/HRXbYL5rbe64KIQa8hP9u4 /TFQ==
In-reply-to: <1349364787.51442.YahooMailNeo@web28801.mail.ir2.yahoo.com>
References: <1349364787.51442.YahooMailNeo@web28801.mail.ir2.yahoo.com>

I can't find specifics on how it works, but the acls contain a "set" command so something like:

access to <what>

Â Â Âby set="dn=[uid=myadmin,ou=people,dc=mydomain,dc=org] & peername.ip=1.1.1.1" read

might work for you, although I don't know the actual syntax or if this is how it was meant to be used.

The ACL reference is here:Âhttp://www.openldap.org/doc/admin24/access-control.html

Kyle

2012/10/4 Mik J <mikydevel@yahoo.fr>

Hello,

I have this ACL that allows the users myadmin to list encrypted passwords

access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet
ÂÂÂÂÂÂÂ by dn="uid=myadmin,ou=people,dc=mydomain,dc=org" read

However this user my admin is supposed to come from one IP 1.1.1.1 only.
I think that the peername directive might help to achive this task but I don't know how to associate it with the user myadmin.
In conclusion I would like that the user myadmin coming from IP 1.1.1.1 be able to see the encrypted passwords.
If the user myadmin comes from another IP like 2.2.2.2 he would not match the ACL and therefore not be able to see encrypted passwords.

Does anyone know what is the syntax ?

Follow-Ups:
- Re: Filter a ldap connection for a user comming from an IP source
  - From: Mik J <mikydevel@yahoo.fr>

References:
- Filter a ldap connection for a user comming from an IP source
  - From: Mik J <mikydevel@yahoo.fr>

Prev by Date: Re: Can not build OpenLDAP with OpenSSL in custom location
Next by Date: Access denied consumer replication (OpenLDAP+Kerberos)
Index(es):
- Chronological
- Thread