https://bugs.openldap.org/show_bug.cgi?id=9512
Issue ID: 9512 Summary: Add ability to restrict by client ip address in ACLs Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---
Currently it is possible via ACLs to enforce restrictions based on which slapd host interface is connected to via the peername parameter. However, it's not possible to enforce ACL restrictions based on the IP address used by the client. This would be a useful feature when wanting to restrict certain DNs to only being able to have access if they connect from a certain IP or IP range.
https://bugs.openldap.org/show_bug.cgi?id=9512
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.6.0
https://bugs.openldap.org/show_bug.cgi?id=9512
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=5271
https://bugs.openldap.org/show_bug.cgi?id=9512
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
--- Comment #1 from Howard Chu hyc@openldap.org --- (In reply to Quanah Gibson-Mount from comment #0)
Currently it is possible via ACLs to enforce restrictions based on which slapd host interface is connected to via the peername parameter. However, it's not possible to enforce ACL restrictions based on the IP address used by the client.
Wrong. The peername parameter is the client's IP address. The sockname parameter is for the slapd address.
This would be a useful feature when wanting to restrict certain DNs to only being able to have access if they connect from a certain IP or IP range.
Already works as designed.
https://bugs.openldap.org/show_bug.cgi?id=9512
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Add ability to restrict by |Add ability to restrict by |client ip address in ACLs |server ip address in ACLs Resolution|INVALID |--- Status|RESOLVED |UNCONFIRMED
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- sockname does not allow ip addresses, so you can't restrict by server interface.
https://bugs.openldap.org/show_bug.cgi?id=9512
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement Target Milestone|2.6.0 |---
-
openldap-its@openldap.org