On 05/07/07, Brian Gaber Brian.Gaber@pwgsc.gc.ca wrote:
Hope someone can explain this to me. I am sure it is very trivial. I have a primary LDAP server (10.16.13.84), a replica LDAP server (10.16.13.85) and a few clients all with a 10.16.13.x address.
Here is the access control I thought would work:
access to * by self write by peername=10.16.13.84 write by peername=10.16.13.81 read by peername=10.16.13.82 read by peername=10.16.13.83 read by peername=10.16.13.85 read by peername=10.16.13.86 read
Here is what does work:
access to * by self write by peername.ip=10.16.13.84 write by * read
By work I mean that when I am on the replica (10.16.13.85) and issuean ldapsearch to itself I get a 32 no such object with the top access, but I get the expected result with the bottom access.
I am not 100% sure, but maybe this will help you (I am using similar ACL). AFAIR in the peername you need to add the "IP=" - but I don't really remember, please correct me. The regex matching directive that works for me looks like this:
by peername.regex="IP=10.10.120..+" read
Then you could try:
by peername.regex="IP=10.16.13.8[1-6]" read
And please double check if you need to supply the "IP=10.10.10.10" for the "by peername" without regex. The regex solution will not conflict with the first entry as write permission includes reading (and ACL parsing stops on the first matched rule).
Hope this helps.
Regards, Michal
Brian Gaber