Hi! First of all, sorry for my english. I will try to be clear. I have a LDAP server running perfectly. I have this in it:
ou=users,dc=tel,dc=uva,dc=es ou=groups,dc=tel,dc=uva,dc=es cn=alumnos,ou=groups,dc=tel,dc=uva,dc=es objectClass: posixGroup gidnumber: 10
cn=profesores,ou=groups,dc=tel,dc=uva,dc=es objectClass: posixGroup gidnumber: 11
Now, I would like to autheticate users who belong to "profesores" , from IP=111.111.111.111. On the other hand, I would like to autheticate users who belongs to "alumnos", from IP=222.222.222.222. And at last, the same, but with both groups, and from IP=333.333.333.333.
And in all the cases, the autheticated users could change their password.
I have looked the manual, but I only obtain that all the users( o nodoby) bind from a specific IP, but I don't know with groups of users.
Does anybody can help me?? Thanks you very much!
Daniel Perez
_________________________________________________________________ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/
Daniel Pérez del Campo wrote:
Hi! First of all, sorry for my english. I will try to be clear. I have a LDAP server running perfectly. I have this in it:
ou=users,dc=tel,dc=uva,dc=es ou=groups,dc=tel,dc=uva,dc=es cn=alumnos,ou=groups,dc=tel,dc=uva,dc=es objectClass: posixGroup gidnumber: 10
cn=profesores,ou=groups,dc=tel,dc=uva,dc=es objectClass: posixGroup gidnumber: 11Now, I would like to autheticate users who belong to "profesores" , from IP=111.111.111.111. On the other hand, I would like to autheticate users who belongs to "alumnos", from IP=222.222.222.222. And at last, the same, but with both groups, and from IP=333.333.333.333.
And in all the cases, the autheticated users could change their password.
I have looked the manual, but I only obtain that all the users( o nodoby) bind from a specific IP, but I don't know with groups of users.
Does anybody can help me??
man slapd.access
Check for dn.regex, groups and peername.ip
and
http://www.openldap.org/faq/data/cache/189.html
I have read all that you suggested to me. I have this ACL:
access to attrs=userPassword by peername.ip=192.168.70.133 write by * none
With this, the users can bind from this IP, but I can't include groups,or something about users that have GID=1000, for example.
Does anybody can help me?
Thank you very much!
From: Gavin Henry ghenry@suretecsystems.com To: Daniel Pérez del Campo dpercam@hotmail.com CC: openldap-software@openldap.org Subject: Re: ACL to bind groups from a IP Date: Fri, 05 Oct 2007 16:03:48 +0100
Daniel Pérez del Campo wrote:
Hi! First of all, sorry for my english. I will try to be clear. I have a LDAP server running perfectly. I have this in it:
ou=users,dc=tel,dc=uva,dc=es ou=groups,dc=tel,dc=uva,dc=es cn=alumnos,ou=groups,dc=tel,dc=uva,dc=es objectClass: posixGroup gidnumber: 10
cn=profesores,ou=groups,dc=tel,dc=uva,dc=es objectClass: posixGroup gidnumber: 11Now, I would like to autheticate users who belong to "profesores" , from IP=111.111.111.111. On the other hand, I would like to autheticate users who belongs to "alumnos", from IP=222.222.222.222. And at last, the same, but with both groups, and from IP=333.333.333.333.
And in all the cases, the autheticated users could change their password.
I have looked the manual, but I only obtain that all the users( o nodoby) bind from a specific IP, but I don't know with groups of users.
Does anybody can help me??
man slapd.access
Check for dn.regex, groups and peername.ip
and
http://www.openldap.org/faq/data/cache/189.html
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
_________________________________________________________________ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/
Daniel Pérez del Campo wrote:
I have read all that you suggested to me. I have this ACL:
access to attrs=userPassword by peername.ip=192.168.70.133 write by * none
With this, the users can bind from this IP, but I can't include groups,or something about users that have GID=1000, for example.
slapd.access(5) clearly states that "by" clauses can be ANDed by simply setting more than one. For example
access to attrs=userPassword by peername.ip=192.168.70.133 group="cn=Profesores" write
If you want to get to allowing access based on the **contents** of the entry the client is binding as, I fear you need to use sets; in that case, you need to learn sets' syntax (http://www.openldap.org/faq/data/cache/1133.html); something like
access to attrs=userPassword by peername.ip=192.168.70.133 set="user/gidNumber & 1000" write
p,
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
I don't know what is the problem, but with your suggestion should run well, but it doesn't. I have tried both ways. My LDAP server is:
dc=tel,dc=uva,dc=es cn=root ou=users uid=dpercam(GID=1002) uid=caralo(GID=1001) ou=groups cn=profesores(gidNumber=1001) cn=alumnos(gidNumber=1002)
Do I have to include something more in the sentences below??
Thanks you!
From: Pierangelo Masarati ando@sys-net.it To: Daniel Pérez del Campo dpercam@hotmail.com CC: openldap-software@openldap.org Subject: Re: ACL to bind groups from a IP Date: Tue, 23 Oct 2007 18:07:02 +0200
Daniel Pérez del Campo wrote:
I have read all that you suggested to me. I have this ACL:
access to attrs=userPassword by peername.ip=192.168.70.133 write by * none
With this, the users can bind from this IP, but I can't include groups,or something about users that have GID=1000, for example.
slapd.access(5) clearly states that "by" clauses can be ANDed by simply setting more than one. For example
access to attrs=userPassword by peername.ip=192.168.70.133 group="cn=Profesores" write
If you want to get to allowing access based on the **contents** of the entry the client is binding as, I fear you need to use sets; in that case, you need to learn sets' syntax (http://www.openldap.org/faq/data/cache/1133.html); something like
access to attrs=userPassword by peername.ip=192.168.70.133 set="user/gidNumber & 1000" write
p,
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
_________________________________________________________________ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.latam.msn.com/
openldap-software@openldap.org
-
Daniel Pérez del Campo -
Gavin Henry -
Pierangelo Masarati