I don't know what is the problem, but with your suggestion should run well, but it doesn't. I have tried both ways. My LDAP server is:
dc=tel,dc=uva,dc=es cn=root ou=users uid=dpercam(GID=1002) uid=caralo(GID=1001) ou=groups cn=profesores(gidNumber=1001) cn=alumnos(gidNumber=1002)
Do I have to include something more in the sentences below??
Thanks you!
From: Pierangelo Masarati ando@sys-net.it To: Daniel Pérez del Campo dpercam@hotmail.com CC: openldap-software@openldap.org Subject: Re: ACL to bind groups from a IP Date: Tue, 23 Oct 2007 18:07:02 +0200
Daniel Pérez del Campo wrote:
I have read all that you suggested to me. I have this ACL:
access to attrs=userPassword by peername.ip=192.168.70.133 write by * none
With this, the users can bind from this IP, but I can't include groups,or something about users that have GID=1000, for example.
slapd.access(5) clearly states that "by" clauses can be ANDed by simply setting more than one. For example
access to attrs=userPassword by peername.ip=192.168.70.133 group="cn=Profesores" write
If you want to get to allowing access based on the **contents** of the entry the client is binding as, I fear you need to use sets; in that case, you need to learn sets' syntax (http://www.openldap.org/faq/data/cache/1133.html); something like
access to attrs=userPassword by peername.ip=192.168.70.133 set="user/gidNumber & 1000" write
p,
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
_________________________________________________________________ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.latam.msn.com/