[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL problem



Hi,

I am using OLC and ACL's to limit response from LDAP based on IP
address, and this is working fine if I have a single ACL. When I add a
second ACL, with a different IP address, the new ACL works, but the
previous one does not.

Example:
Entries in LDAP:

# 10.0.0.92, servers, test.com
dn: cn=10.0.0.92,ou=servers,dc=test,dc=com
objectClass: groupOfNames
cn: 10.0.0.92
description: Allowed access
member: uid=aaa,dc=test,dc=com

# 10.0.0.94, servers, test.com
dn: cn=10.0.0.94,ou=servers,dc=test,dc=com
objectClass: groupOfNames
cn: 10.0.0.94
description: Allowed access
member: uid=aaa,dc=test,dc=com

# aaa, test.com
dn: uid=aaa,dc=test,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: ldapPublicKey
objectClass: shadowAccount
uid: aaa
uidNumber: 10005
gidNumber: 10005
homeDirectory: /home/aaa
loginShell: /usr/local/bin/bash
mail: a@test.com
ou: users
cn: User A
sn: A
userPassword:: xxx

OLC entries:

# {1}ldif, config
dn: olcDatabase={1}ldif,cn=config
objectClass: olcLdifConfig
olcDatabase: {1}ldif
olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za
 /parts/new/instances/test/openldap-data
olcSuffix: dc=test,dc=com
olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92,
 ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
 .ip="10.0.0.92" read by * none
olcAccess: {1}to * by self write by peername.ip="127.0.0.1" write by * none
olcRootDN: cn=Manager,dc=test,dc=com
olcRootPW: test


At this point, running ldapsearch from the computer with ip address
10.0.0.92 works correctly, and only the filtered results are returned.
If I then add a second ACL:


# {1}ldif, config
dn: olcDatabase={1}ldif,cn=config
objectClass: olcLdifConfig
olcDatabase: {1}ldif
olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za
 /parts/new/instances/test/openldap-data
olcSuffix: dc=test,dc=com
olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.94,
 ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
 .ip="10.0.0.94" read by * none
olcAccess: {1}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92,
 ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
 .ip="10.0.0.92" read by * none
olcAccess: {2}to * by self write by peername.ip="127.0.0.1" write by * none
olcRootDN: cn=Manager,dc=test,dc=com
olcRootPW: test


The computer with IP 10.0.0.94 can now query LDAP, and receives the
correct filtered results, however the computer with IP 10.0.0.92
receives a blank result:


$ ldapsearch -x -h 10.0.0.91 -b dc=test,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


Is this the way that ACLs work in openldap? Or have I missed a
configuration setting somewhere?

Thanks
/Cole