--On Wednesday, July 22, 2009 11:23 AM -0400 Kage <kagekon...@gmail.com> wrote:

I currently have my LDAP ACLs setup as follows:

access to attrs=userPassword,mail
  by self write
  by dnattr=owner write
  by anonymous auth
access to *
  by * read

I noticed there is an ACL setting called peername that I can use to limit
access by IP.  Ideally, what I would like to do is keep the above ACLs,
and ALSO limit access by a certain group of IP addresses.  Consider the
following pseudocode:

Allow access to (whatever) by (self AND ipaddr=(ip1|ip2|ip3)) write, by
(dnattr=owner AND ipaddr=(ip1|ip2|ip3)) write, ... etc.

Basically, I want to allow self write ONLY if connecting from a certain
group of IPs, allow dnattr=owner ONLY if connecting from a certain group
of IPs, ...etc.  You can probably see where I am going with this.

Further, I want "access * by * read" also limited to this, and if none of
these match, deny all.

access to attrs=userPassword,mail
 by peername.ip=addr%mask self write
 by dnattr=owner peername.ip=addr%mask write
 by anonymous auth

etc. Please see the slapd-access(5) man page for more information on how to use peername.ip.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration

Reply via email to