Re: ACLs with ip control

aubert Thu, 13 Jul 2006 06:31:52 -0700

Quoting "Terry L. Inzauro" <[EMAIL PROTECTED]>:

[EMAIL PROTECTED] wrote:

I omitted a detail : it works fine if the command is used with an
authenticated user.
--
Emmanuel Aubert

Quoting Aaron Richton <[EMAIL PROTECTED]>:

  ==> by anonymous peername.ip=10.0.0.253 read


I don't think that's valid syntax because you have two <who> clauses,
anonymous and peername.ip. Try only
    by peername.ip="10.0.0.253 read"
without "anonymous". I'd expect something like this to show up on
"slaptest -d acl". If you want additive "anonymous and peername.ip"
behavior see "<control>" directives.


I didn't read the ACLs thoroughly to see if they'd work with this
change, but it's a starting point...




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

are there any other acl(s) ahed of or prior to to the IP acl thatmight be blocking access? ordering is very important.



_Terry

Hello.

I joined with this mail the acl file.

Thank you for your help.

--
Emmanuel


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

# Define global ACLs to disable default read access for 
dc=femto-st,dc=org,dc=fr.

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access to user password
#               Allow anonymous users to authenticate
#               Allow read access to everything else
#       Directives needed to implement policy:

# Quelques ACLs generales
access to attrs=userPassword
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by anonymous auth
        by self read
        by * none

# ACL pour la gestion du courrier
access to attrs=mailAlternateAddress,accountStatus,mailMessageStore
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=mail,ou=DSA,dc=femto-st,dc=org" read
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
        by * none

# ACL pour un acces anonyme  
access to attrs=mail,telephoneNumber,roomNumber,displayName,cn,sn,givenName
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=mail,ou=DSA,dc=femto-st,dc=org" read
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
        by anonymous peername.ip=10.0.0.253 read
        by * none

# ACL pour siteweb
access to attrs=uid
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=siteweb,ou=DSA,dc=femto-st,dc=org" read
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
        by * none

# acces a l'OU=1 pour le LPMO
access to dn.children="ou=1,dc=femto-st,dc=org"
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=lpmo,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
        by * none 

# acces a l'OU=2 pour le LOPMD
access to dn.children="ou=2,dc=femto-st,dc=org"
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=lopmd,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
        by * none 

# acces a l'OU=3 pour le LMARC
access to dn.children="ou=3,dc=femto-st,dc=org"
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=lmarc,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
        by * none 

# acces a l'OU=4 pour le LCEP
access to dn.children="ou=4,dc=femto-st,dc=org"
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=lcep,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
        by * none 

# acces a l'OU=5 pour le CREST
access to dn.children="ou=5,dc=femto-st,dc=org"
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=crest,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
        by * none 

# acces a l'OU=6 pour le FEMTO-ST Administration centrale
access to dn.children="ou=6,dc=femto-st,dc=org"
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=femto,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
        by * none 

# this can be omitted but we leave it: there could be other branch
# in the directory
access to *
        by dn="cn=replicator,ou=DSA,dc=femto-st,dc=org" write
        by dn="cn=uniweb,ou=DSA,dc=femto-st,dc=org" write
        by self read
        by users read
        by * none

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

Re: ACLs with ip control

Reply via email to