Hi Julien,
Julien Garnier a écrit :
Hi,
I have some problems to configure my aACL's and hope someone can help me.
I want all my local subnet (A.A.A.x) have entire read acces, It's OK. I want some IP have acces only to one search : for example, I want that IP1 B.B.B.B can only do this search and that any other search return error : ldapsearch -x -b "ou=people,ou=compagnie,ou=com" "(ou=DIV1*)" -LLL
I don't find how to configure that. I've tried :
access to dn.base="" by peername.regex="IP=A.A.A..+" read by peername.regex="IP=127.0.0.1" read by * none
access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*) by peername.regex="IP=B.B.B.B" read by * none
but dosn't work, I have an insufficient acces 50 error.
AFAIK, you can't limit search rights depending on the filter used in the search. The syntax you have above limits read access to all entries that correspond to the "ou=DIV1*" filter.
You have an "insufficient access" error because you are trying to search based on "ou=people", but don't have the right to (because ou=people doesn't match "ou=DIV1*").
To get closer to what you want, you could try this:
access to dn.sub="ou=people,ou=compagnie,ou=com" attrs=ou by peername.regex="IP=B.B.B.B" search by peername.regex="IP=A.A.A..+" read by * break
access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*) by peername.regex="IP=B.B.B.B" read by peername.regex="IP=A.A.A..+" read by * none
access to * by peername.regex="IP=A.A.A..+" read
This way, IP B.B.B.B can search through ou=people, and only read entries that match the "ou=DIV1*" filter. They will also be allowed to perform any search using the "ou" attribute, but the only results will match "ou=DIV1*".
Hope this helps.
Regards, Jonathan