Michal,
Tried your suggestion, ldapsearch still fails. Here is the log:
Jul 5 11:09:31 ias2 slapd[11565]: entry_decode: "SFTid=0002-00000000,ou=servers,o=sft" Jul 5 11:09:31 ias2 slapd[11565]: <= entry_decode(SFTid=0002-00000000,ou=servers,o=sft) Jul 5 11:09:31 ias2 slapd[11565]: => bdb_dn2id("SFTid=0002-00000000,ou=servers,o=sft") Jul 5 11:09:31 ias2 slapd[11565]: <= bdb_dn2id: got id=0x00000030 Jul 5 11:09:31 ias2 slapd[11565]: => test_filter Jul 5 11:09:31 ias2 slapd[11565]: EQUALITY Jul 5 11:09:31 ias2 slapd[11565]: => access_allowed: search access to "SFTid=0002-00000000,ou=servers,o=sft" "SFTid" requested Jul 5 11:09:31 ias2 slapd[11565]: => acl_get: [1] attr SFTid Jul 5 11:09:31 ias2 slapd[11565]: => acl_mask: access to entry "SFTid=0002-00000000,ou=servers,o=sft", attr "SFTid" requested Jul 5 11:09:31 ias2 slapd[11565]: => acl_mask: to value by "", (=0) Jul 5 11:09:31 ias2 slapd[11565]: <= check a_dn_pat: self Jul 5 11:09:31 ias2 slapd[11565]: <= check a_peername_path: 10.16.13.84 Jul 5 11:09:31 ias2 slapd[11565]: <= check a_peername_path: IP=10.16.13.8[1-6]* Jul 5 11:09:31 ias2 slapd[11565]: => acl_string_expand: pattern: IP=10.16.13.8[1-6]* Jul 5 11:09:31 ias2 slapd[11565]: => acl_string_expand: expanded: IP=10.16.13.8[1-6]* Jul 5 11:09:31 ias2 slapd[11565]: => regex_matches: string:^I IP=127.0.0.1:46749 Jul 5 11:09:31 ias2 slapd[11565]: => regex_matches: rc: 1 no matches Jul 5 11:09:31 ias2 slapd[11565]: <= acl_mask: no more <who> clauses, returning =0 (stop) Jul 5 11:09:31 ias2 slapd[11565]: => access_allowed: search access denied by =0 Jul 5 11:09:31 ias2 slapd[11565]: <= test_filter 50 Jul 5 11:09:31 ias2 slapd[11565]: bdb_search: 48 does not match filter
-----Original Message----- From: Michal Dobroczynski [mailto:michal.dobroczynski@gmail.com] Sent: Thursday, July 05, 2007 11:01 AM To: Brian Gaber Cc: openldap-software@openldap.org Subject: Re: Challenge With Access Control
As far as I understand the log - you need to include the port. This should help then:
by peername.regex="IP=10.16.13.8[1-6]:[0-9]*" read
Regards, Michal
On 05/07/07, Brian Gaber Brian.Gaber@pwgsc.gc.ca wrote:
Tried your suggestion and still have a problem.
Here is the new slapd.conf:
access to * by self write by peername.ip=10.16.13.84 write by peername.regex="IP=10.16.13.8[1-6]" read
Here is the log:
entry_decode: "SFTid=0001-00000000,ou=servers,o=sft" Jul 5 10:46:35 ias2 slapd[11401]: <= entry_decode(SFTid=0001-00000000,ou=servers,o=sft) Jul 5 10:46:35 ias2 slapd[11401]: => bdb_dn2id("SFTid=0001-00000000,ou=servers,o=sft") Jul 5 10:46:35 ias2 slapd[11401]: <= bdb_dn2id: got id=0x0000002f Jul
5 10:46:35 ias2 slapd[11401]: => test_filter Jul 5 10:46:35 ias2 slapd[11401]: EQUALITY Jul 5 10:46:35 ias2 slapd[11401]: => access_allowed: search access to
"SFTid=0001-00000000,ou=servers,o=sft" "SFTid" requested Jul 5 10:46:35 ias2 slapd[11401]: => acl_get: [1] attr SFTid Jul 5 10:46:35
ias2 slapd[11401]: => acl_mask: access to entry "SFTid=0001-00000000,ou=servers,o=sft", attr "SFTid" requested Jul 5 10:46:35 ias2 slapd[11401]: => acl_mask: to value by "", (=0) Jul 5 10:46:35 ias2 slapd[11401]: <= check a_dn_pat: self Jul 5 10:46:35 ias2 slapd[11401]: <= check a_peername_path: 10.16.13.84 Jul 5 10:46:35 ias2 slapd[11401]: <= check a_peername_path: IP=10.16.13.8[1-6] Jul 5 10:46:35 ias2 slapd[11401]: => acl_string_expand: pattern: IP=10.16.13.8[1-6] Jul 5 10:46:35 ias2 slapd[11401]: => acl_string_expand: expanded: IP=10.16.13.8[1-6] Jul 5 10:46:35 ias2 slapd[11401]: => regex_matches: string:^I IP=127.0.0.1:46504 Jul 5 10:46:35 ias2 slapd[11401]: => regex_matches: rc: 1 no matches Jul 5 10:46:35 ias2 slapd[11401]: <= acl_mask: no more <who> clauses,
returning =0 (stop) Jul 5 10:46:35 ias2 slapd[11401]: => access_allowed: search access denied by =0 Jul 5 10:46:35 ias2 slapd[11401]: <= test_filter 50
-----Original Message----- From: Michal Dobroczynski [mailto:michal.dobroczynski@gmail.com] Sent: Thursday, July 05, 2007 10:36 AM To: Brian Gaber Cc: openldap-software@openldap.org Subject: Re: Challenge With Access Control
On 05/07/07, Brian Gaber Brian.Gaber@pwgsc.gc.ca wrote:
Hope someone can explain this to me. I am sure it is very trivial.
I
have a primary LDAP server (10.16.13.84), a replica LDAP server (10.16.13.85) and a few clients all with a 10.16.13.x address.
Here is the access control I thought would work:
access to * by self write by peername=10.16.13.84 write by peername=10.16.13.81 read by peername=10.16.13.82 read by peername=10.16.13.83 read by peername=10.16.13.85 read by peername=10.16.13.86 read
Here is what does work:
access to * by self write by peername.ip=10.16.13.84 write by * read
By work I mean that when I am on the replica (10.16.13.85)and
issue an ldapsearch to itself I get a 32 no such object with the top
access, but I get the expected result with the bottom access.
I am not 100% sure, but maybe this will help you (I am using similar ACL). AFAIR in the peername you need to add the "IP=" - but I don't really remember, please correct me. The regex matching directive that works for me looks like this:
by peername.regex="IP=10.10.120..+" read
Then you could try:
by peername.regex="IP=10.16.13.8[1-6]" read
And please double check if you need to supply the "IP=10.10.10.10" for
the "by peername" without regex. The regex solution will not conflict with the first entry as write permission includes reading (and ACL parsing stops on the first matched rule).
Hope this helps.
Regards, Michal
Brian Gaber