> Is it possible to control the size limit based on the ip address? > > man slapd.conf > > *limits* <*who*> <*limit*> *[*<*limit*> *[...]] > > *The argument *who* can be any of > > anonymous | users | [dn[.<style>]=]<pattern> | > group[/oc[/at]]=<pattern> > > > Which doesn't look like the 'who' can be an ip address, > but I just want to confirm that is the case (since the 'who' in > slapd.access support peername.ip and I'm hoping that > that the underlying code for both 'who's is the same :)
The man page is correct, it's not possible. > Basically we have software running on a host that is > unable to authenticate (due to 3rd party software) > and we need to increase the size limits for queries coming from it, > without increasing that limit for all anonymous binds. Your problem sounds general enough to deserve an extension of the limits "who" clause semantics (I don't see it quite high-priority, though). In any case, the modification should be trivial enough. I suggest you file an ITS for a feature request. > Are there alternative ways of doing this? > Possibly setting up a server with back-ldap running, only allowing > access from the specific > ip address and letting the back-ldap server bind to real servers as an > authorized account? > > Or is there a way to map ip address to an identity that can be used in > the limits control. Using idassert-bind with back-ldap would allow to transform an anonymous connection into an authorized one. However, the request would then appear as originating from the DSA instantiating the back-ldap, rather than from the actual client. > We're running 2.3.24. You should definitely upgrade. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] ---------------------------------------
