Daniel PĂ©rez del Campo wrote:
I have read all that you suggested to me. I have this ACL:
access to attrs=userPassword by peername.ip=192.168.70.133 write by * none
With this, the users can bind from this IP, but I can't include groups,or something about users that have GID=1000, for example.
slapd.access(5) clearly states that "by" clauses can be ANDed by simply setting more than one. For example
access to attrs=userPassword by peername.ip=192.168.70.133 group="cn=Profesores" write
If you want to get to allowing access based on the **contents** of the entry the client is binding as, I fear you need to use sets; in that case, you need to learn sets' syntax (http://www.openldap.org/faq/data/cache/1133.html); something like
access to attrs=userPassword by peername.ip=192.168.70.133 set="user/gidNumber & 1000" write
p,
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------