Attempting to set Access Control for auth to Perl Backend

To: "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>

Subject: Attempting to set Access Control for auth to Perl Backend

From: Etan Weintraub <eweintra@jhmi.edu>

Date: Tue, 6 Jun 2017 16:32:23 +0000

Accept-language: en-US

Content-language: en-US

Ironport-phdr: 9a23:izDo1Bf3WUK2rRkw7U7dZdz+lGMj4u6mDksu8pMizoh2WeGdxcS8Yh7h7PlgxGXEQZ/co6odzbGH7Oa9CCdZuc7JmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6OPn+FJLMgMSrzeCy/IDYbxlViDanb75/KBe7oR/Ru8QSjoduN7o9xgfUqXZUZupawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnFVguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hCoBKjU09nzchM5tg6JBuB+vpwJxzZPIYI+bN/R+f7/SctwBSGpOQspdSzRMDp+gY4cRCecKIOZWr5P6p1sLtRawChWsC/npyjRVhnD5w6w60+I9EQHcxgMgAskBu2nTodrrOqYdT+G1zK/UzTXZdfxbwjX96IjNchAgu/2DQ69/cdfIxEQpCgjLjU2QpJT4Mz+JzOgBrmiW4/BjWO+rkWIrtRx9rzq3yssxloXFnJ8Zx1/e+Sh9wos5P8O0RFN1bNK8HptfqSKXO5dzT84nQGxkpSc3xqMDtJKmZycHzJQqyhvBZPGGboeH/hfuWPiMLjhmnn1ofq+0iQyo/ki60OL8U9G50FNNriVYjNbBrmsN1xnP6sifTft941uh1S6P1w/N7uFEJlg5m6XGJZAgzbA9i5UdvkXeEiL0gkn3gq6WdkM+9uey9uvreLfmpp+BN4NulA7xL7kultS+AeQ+LAcOQ3CW9fmg2LH54EH0QK9Gg/4yn6XDrpzWOMYWqra8AwBP04Yj7xi/Dy2h0NQdhXQIMlxEdwyGj4jvJ1HOOur3AOy9g1SslTdrxurKMaP8DZXQNnTDiqvufa5h605Azwo+1ddf54pKBbEHJPL8R1X+tMTBAh8lLQO73+bnCNN81owCQ22PBrSUMKTKsVCW4OIvJ/SDa5UNuDrnLPgl/fHu3jcFngpXMq6x0J0TZHmgW+hrKEWfYHHlhv8GCWoMugY3VKrtklLNG3YHYG6/WaYw7yl+FI+tDYHCTYmpqLuZ0SG/EpROIGdcBQbfP23vctCpR/4KIB2fI8l9iDUZX/D1RpAs1BeyrgbSybpiL6zZ9jBO5sGr78R8++CGzUJ6zjdzFcnIi2w=

Thread-index: AdLe4ejeEyz9LmOETpCS7plLR6hIvg==

Thread-topic: Attempting to set Access Control for auth to Perl Backend

Hi all-

I’m configuring an OpenLDAP server with the Perl Backend. I’ve been able to set permissions for search on one of my backends to lock it down based on IP as follows:

access to dn.sub="dc=alias"

by peername.ip=127.0.0.1 read

by peername.ip=10.181.24.193 read

by peername.ip=10.181.35.243 read

by * none

That makes it that only those IP’s listed can search and get results from that branch.

I now need to do the same type of thing for another branch, but for authentication instead (i.e. only allow auth to occur if coming from an approved IP). I’ve tried the following:

access to dn.sub="dc=mfa"

by peername.ip=127.0.0.1 auth

by peername.ip=10.181.24.193 auth

by * none

But no luck. Any ideas/help? If I can’t do this with an ACL, if I can get the IP address of the request passed in to the bind function in the Perl backend, I can handle the controls there.

-Etan E. Weintraub

Information Security Architect

IT@Johns Hopkins

Johns Hopkins at Mt. Washington

5801 Smith Ave.

Davis Building Suite 3110B

Baltimore, MD 21209

Phone: 667-208-6309

E-mail: eweintra@jhmi.edu

Attachment: smime.p7s
Description: S/MIME cryptographic signature