Hi all-

I’m configuring an OpenLDAP server with the Perl Backend. I’ve been able to set permissions for search on one of my backends to lock it down based on IP as follows:

 

access to dn.sub="dc=alias"

        by peername.ip=127.0.0.1 read

        by peername.ip=10.181.24.193 read

        by peername.ip=10.181.35.243 read

        by * none

 

That makes it that only those IP’s listed can search and get results from that branch.

 

I now need to do the same type of thing for another branch, but for authentication instead (i.e. only allow auth to occur if coming from an approved IP). I’ve tried the following:

access to dn.sub="dc=mfa"

        by peername.ip=127.0.0.1 auth

        by peername.ip=10.181.24.193 auth

        by * none

 

But no luck. Any ideas/help? If I can’t do this with an ACL, if I can get the IP address of the request passed in to the bind function in the Perl backend, I can handle the controls there.

 

-Etan E. Weintraub

Information Security Architect

IT@Johns Hopkins

Johns Hopkins at Mt. Washington

5801 Smith Ave.

Davis Building Suite 3110B

Baltimore, MD 21209

Phone: 667-208-6309

E-mail: eweintra@jhmi.edu