I now need to do the same type of thing for another branch, but for
authentication instead (i.e. only allow auth to occur if coming from an
approved IP). I've tried the following:
access to dn.sub="dc=mfa"
by peername.ip=127.0.0.1 auth
by peername.ip=10.181.24.193 auth
by * none
But no luck. Any ideas/help? If I can't do this with an ACL, if I can
get the IP address of the request passed in to the bind function in the
Perl backend, I can handle the controls there.
That's not really what "auth" access means. Are you using simple binds? If so, I'd try something like:
access to dn.sub="dc=mfa" attrs=userPassword
by peername.ip=127.0.0.1 anonymous auth
by peername.ip=10.181.24.193 anonymous auth
by <admin> write
access to dn.sub="dc=mfa"
by users read
Now this makes some assumptions: a) Users auth against an entry in the
dc=mfa tree, and b) that users only exist in that tree.
Alternatively, you may wish to look at set based ACLs to set it so that only entries that exist /in/ the dc=mfa tree can read entries in the dc=mfa tree, combined with the IP restrictions.
--Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>