Is it possible to control the size limit based on the ip address?
man slapd.conf
*limits* <*who*> <*limit*> *[*<*limit*> *[...]]
*The argument *who* can be any of
anonymous | users | [dn[.<style>]=]<pattern> | group[/oc[/at]]=<pattern>
Which doesn't look like the 'who' can be an ip address, but I just want to confirm that is the case (since the 'who' in slapd.access support peername.ip and I'm hoping that that the underlying code for both 'who's is the same :)
Basically we have software running on a host that is unable to authenticate (due to 3rd party software) and we need to increase the size limits for queries coming from it, without increasing that limit for all anonymous binds.
Are there alternative ways of doing this? Possibly setting up a server with back-ldap running, only allowing access from the specific ip address and letting the back-ldap server bind to real servers as an authorized account?
Or is there a way to map ip address to an identity that can be used in the limits control.
We're running 2.3.24.
thanks,
Patrick
Patrick Radtke wrote:
Is it possible to control the size limit based on the ip address?
man slapd.conf
*limits* <*who*> <*limit*> *[*<*limit*> *[...]]*The argument *who* can be any of
anonymous | users | [dn[.<style>]=]<pattern> | group[/oc[/at]]=<pattern>Which doesn't look like the 'who' can be an ip address, but I just want to confirm that is the case (since the 'who' in slapd.access support peername.ip and I'm hoping that that the underlying code for both 'who's is the same :)
Basically we have software running on a host that is unable to authenticate (due to 3rd party software) and we need to increase the size limits for queries coming from it, without increasing that limit for all anonymous binds.
Are there alternative ways of doing this? Possibly setting up a server with back-ldap running, only allowing access from the specific ip address and letting the back-ldap server bind to real servers as an authorized account?
Or is there a way to map ip address to an identity that can be used in the limits control.
We're running 2.3.24.
thanks,
Patrick
Did you try?
Is it possible to control the size limit based on the ip address?
man slapd.conf
*limits* <*who*> <*limit*> *[*<*limit*> *[...]]*The argument *who* can be any of
anonymous | users | [dn[.<style>]=]<pattern> | group[/oc[/at]]=<pattern>Which doesn't look like the 'who' can be an ip address, but I just want to confirm that is the case (since the 'who' in slapd.access support peername.ip and I'm hoping that that the underlying code for both 'who's is the same :)
The man page is correct, it's not possible.
Basically we have software running on a host that is unable to authenticate (due to 3rd party software) and we need to increase the size limits for queries coming from it, without increasing that limit for all anonymous binds.
Your problem sounds general enough to deserve an extension of the limits "who" clause semantics (I don't see it quite high-priority, though). In any case, the modification should be trivial enough. I suggest you file an ITS for a feature request.
Are there alternative ways of doing this? Possibly setting up a server with back-ldap running, only allowing access from the specific ip address and letting the back-ldap server bind to real servers as an authorized account?
Or is there a way to map ip address to an identity that can be used in the limits control.
Using idassert-bind with back-ldap would allow to transform an anonymous connection into an authorized one. However, the request would then appear as originating from the DSA instantiating the back-ldap, rather than from the actual client.
We're running 2.3.24.
You should definitely upgrade.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Gavin Henry -
Patrick Radtke -
Pierangelo Masarati