Hi there
My predecessor created a couple of ACLs that are IP based. For example this one:
olcAccess: {10}to dn.subtree="ou=something,dc=domain,dc=tld" by peername.ip="0.0.0.0%0.0.0.0" none by * +0 break
Unfortunately I can't find any hints what "0.0.0.0%0.0.0.0" means. Can anyone explain that?
The only part of the documentation where 0.0.0.0 occurs is in "20.4.4. Listener". In that case it looks to me like 0.0.0.0 is actually the localhost. In other areas (e.g. some Firewalls) 0.0.0.0 is the WAN/Internet which is pretty much the opposite of localhost.
Since the subnetmask in the ACL is also 0.0.0.0 I assume that the whole construct peername.ip="0.0.0.0%0.0.0.0" means basically "any" IP. But in that case it does not make a lot of sense to me to even have that in the ACL. However there are a lot of configs leftover from my predecessor that don't make a lot of sense to me, so there's that.
Thanks for any hints/explanations and best regards, Cyril
--On Thursday, January 16, 2025 4:05 PM +0100 cyril@stoll.info wrote:
Hi there
My predecessor created a couple of ACLs that are IP based. For example this one:
olcAccess: {10}to dn.subtree="ou=something,dc=domain,dc=tld" by peername.ip="0.0.0.0%0.0.0.0" none by * +0 break
Unfortunately I can't find any hints what "0.0.0.0%0.0.0.0" means. Can anyone explain that?
It's documented in the slapd.access(5) man page, in the section about "peername".
--Quanah
Unfortunately I can't find any hints what "0.0.0.0%0.0.0.0" means. Can anyone explain that?
It's documented in the slapd.access(5) man page, in the section about "peername".
Thanks for the reply Quanah. Unfortunately I still don't get it. From the section in the man page I removed the parts about domains, sockets and IPv6 to make it easier to read which leaves me with this:
The statement peername=<peername> means that the contacting host IP (in the form IP=<ip>:<port> for IPv4) for peername is compared against pattern to determine access. The same style rules for pattern match described for the group case apply, plus the regex style, which implies submatch expand and regex match of the corresponding connection parameters. The exact style of the <peername> clause (the default) implies a case-exact match on the client's IP, including the IP= prefix and the trailing :<port>. The special ip style interprets the pattern as <peername>=<ip>[%<mask>][{<n>}], where <ip> and <mask> are dotted digit representations of the IP and the mask, while <n>, delimited by curly brackets, is an optional port. When checking access privileges, the IP portion of the peername is extracted, eliminating the IP= prefix and the :<port> part, and it is compared against the <ip> portion of the pattern after masking with <mask>: ((peername & <mask>) == <ip>). As an example, peername.ip=127.0.0.1 allows connections only from localhost, peername.ip=192.168.1.0%255.255.255.0 allows connections from any IP in the 192.168.1 class C domain, and peername.ip=192.168.1.16%255.255.255.240{9009} allows connections from any IP in the 192.168.1.[16-31] range of the same domain, only if port 9009 is used. The expand style is allowed, implying an exact match with submatch expansion; the use of expand as a style modifier is considered more appropriate.
From this edited man-page excerpt I can easily determine that peername.ip=10.10.0.0%255.255.0.0 would allow access for any hosts in the 10.10.0.0/16 IP-range. The subnet mask part in my case is also clear. However I still don't know what exact meaning the IP part 0.0.0.0 has.
Anyone willing to elaborate? Am I correct in assuming peername.ip=0.0.0.0%0.0.0.0 allows access to any IP?
Best regards and have a nice weekend, Cyril
On Fri, Jan 17, 2025 at 10:42:22AM +0100, cyril@stoll.info wrote:
Unfortunately I can't find any hints what "0.0.0.0%0.0.0.0" means. Can anyone explain that?
It's documented in the slapd.access(5) man page, in the section about "peername".
Thanks for the reply Quanah. Unfortunately I still don't get it. From the section in the man page I removed the parts about domains, sockets and IPv6 to make it easier to read which leaves me with this:
From this edited man-page excerpt I can easily determine that peername.ip=10.10.0.0%255.255.0.0 would allow access for any hosts in the 10.10.0.0/16 IP-range. The subnet mask part in my case is also clear. However I still don't know what exact meaning the IP part 0.0.0.0 has.
Anyone willing to elaborate? Am I correct in assuming peername.ip=0.0.0.0%0.0.0.0 allows access to any IP?
Hi Cyril, presumably you have both IPv4 and IPv6 (or UNIX socket) clients and this attempts to differentiate between the classes/address families?
Regards,
Am 17.01.25 um 10:52 schrieb Ondřej Kuzník:
On Fri, Jan 17, 2025 at 10:42:22AM +0100, cyril@stoll.info wrote:
Unfortunately I can't find any hints what "0.0.0.0%0.0.0.0" means. Can anyone explain that?
It's documented in the slapd.access(5) man page, in the section about "peername".
Thanks for the reply Quanah. Unfortunately I still don't get it. From the section in the man page I removed the parts about domains, sockets and IPv6 to make it easier to read which leaves me with this:
From this edited man-page excerpt I can easily determine that peername.ip=10.10.0.0%255.255.0.0 would allow access for any hosts in the 10.10.0.0/16 IP-range. The subnet mask part in my case is also clear. However I still don't know what exact meaning the IP part 0.0.0.0 has.
Anyone willing to elaborate? Am I correct in assuming peername.ip=0.0.0.0%0.0.0.0 allows access to any IP?
Hi Cyril, presumably you have both IPv4 and IPv6 (or UNIX socket) clients and this attempts to differentiate between the classes/address families?
Hi,
Quote from slapd.access (Debian 12, slapd 2.5.13+dfsg-5):
The special ip style interprets the pattern as <peername>=<ip>[%<mask>][{<n>}], where <ip> and <mask> are dotted digit representations of the IP and the mask, while <n>, delimited by curly brackets, is an optional port. The same applies to IPv6 addresses when the special ipv6 style is used.
End quote.
0.0.0.0%0.0.0.0 is <ipv4>%<subnet mask> equivalent to 0.0.0.0/0 <ipv4>/<prefix length>. Meaning every possible IPv4 address.
Regards,
Uwe
Regards,
On Fri, Jan 17, 2025 at 11:27:01AM +0100, Uwe Sauter wrote:
Am 17.01.25 um 10:52 schrieb Ondřej Kuzník:
presumably you have both IPv4 and IPv6 (or UNIX socket) clients and this attempts to differentiate between the classes/address families?
Hi,
Quote from slapd.access (Debian 12, slapd 2.5.13+dfsg-5):
The special ip style interprets the pattern as <peername>=<ip>[%<mask>][{<n>}], where <ip> and <mask> are dotted digit representations of the IP and the mask, while <n>, delimited by curly brackets, is an optional port. The same applies to IPv6 addresses when the special ipv6 style is used.
End quote.
0.0.0.0%0.0.0.0 is <ipv4>%<subnet mask> equivalent to 0.0.0.0/0 <ipv4>/<prefix length>. Meaning every possible IPv4 address.
Yes, as opposed to every IPv6 address (or UNIX socket)? At least that's pretty much the only thing that jumps out when I read this.
Regards,
Hi Ondřej
presumably you have both IPv4 and IPv6 (or UNIX socket) clients and this attempts to differentiate between the classes/address families?
I see, thanks a lot. I didn't think about that but that does indeed explain it. In our case OpenLDAP is not listening for IPv6 traffic but we do use a UNIX socket.
Thanks again and have a nice weekend!
Best regards, Cyril
openldap-technical@openldap.org
-
cyril@stoll.info -
Ondřej Kuzník -
Quanah Gibson-Mount -
Uwe Sauter