Hi Julien,

Julien Garnier a écrit :

Hi,

I have some problems to configure my aACL's and hope someone can help me.

I want all my local subnet (A.A.A.x) have entire read acces, It's OK. I want some IP have acces only to one search : for example, I want that IP1 B.B.B.B can only do this search and that any other search return error : ldapsearch -x -b "ou=people,ou=compagnie,ou=com" "(ou=DIV1*)" -LLL

I don't find how to configure that. I've tried :

access to dn.base="" by peername.regex="IP=A.A.A..+" read by peername.regex="IP=127.0.0.1" read by * none

access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*) by peername.regex="IP=B.B.B.B" read by * none

but dosn't work, I have an insufficient acces 50 error.

AFAIK, you can't limit search rights depending on the filter used in the search. The syntax you have above limits read access to all entries that correspond to the "ou=DIV1*" filter.

You have an "insufficient access" error because you are trying to search based on "ou=people", but don't have the right to (because ou=people doesn't match "ou=DIV1*").

To get closer to what you want, you could try this:

access to dn.sub="ou=people,ou=compagnie,ou=com" attrs=ou by peername.regex="IP=B.B.B.B" search by peername.regex="IP=A.A.A..+" read by * break

access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*) by peername.regex="IP=B.B.B.B" read by peername.regex="IP=A.A.A..+" read by * none

access to * by peername.regex="IP=A.A.A..+" read

This way, IP B.B.B.B can search through ou=people, and only read entries that match the "ou=DIV1*" filter. They will also be allowed to perform any search using the "ou" attribute, but the only results will match "ou=DIV1*".

Hope this helps.

Regards, Jonathan

Julien Garnier writes:

access to dn.base="" by peername.regex="IP=A.A.A..+" read by peername.regex="IP=127.0.0.1" read by * none

This only sets the access to the entry named "", i.e. the automatically generated entry which the server itself. Doesn't sound like that is what you wants.

access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*)

This sets access to all entries in the people subtree which contain an 'ou' attribute starting with "DIV1". It doesn't say which filter people are allowed to use.

    by peername.regex="IP=B\.B\.B\.B" read
    by * none

You don't give people at A.A.A.* any access to this subtree.

Read man slapd.access(5). It sounds like what you need is something like this:

# hide userPassword, but allow anyone in the related IPs to log in access to attrs=userPassword by peername.ip=A.A.A.0%255.255.255.0 auth by peername.ip=127.0.0.1 auth by peername.ip=B.B.B.B auth by * none

# allow everyone locally read access to everything else, and no access # for others but continue checking other access statements for people at # B.B.B.B access to * by peername.ip=A.A.A.0%255.255.255.0 read by peername.ip=127.0.0.1 read by peername.ip=B.B.B.B none break by * none

# access for folks at B.B.B.B....

# allow them to search with this baseDN access to dn.exact="ou=people,ou=compagnie,ou=com" attrs=entry =s

# allow them to find entries in this subtree matching this filter, # and nothing else: access to dn.sub="ou=people,ou=compagnie,ou=com" filter=(ou=DIV1*) by * none break by * none

# allow them to search for and read 'ou' (though they can also list # all allowed entry by searching with the "true" filter "(&)": access to attrs=ou by * =sr

# allow them to read everything they find access to attrs=* by * =r