Hello,
I have this ACL that allows the users myadmin to list encrypted passwords
access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet by dn="uid=myadmin,ou=people,dc=mydomain,dc=org" read
However this user my admin is supposed to come from one IP 1.1.1.1 only. I think that the peername directive might help to achive this task but I don't know how to associate it with the user myadmin. In conclusion I would like that the user myadmin coming from IP 1.1.1.1 be able to see the encrypted passwords. If the user myadmin comes from another IP like 2.2.2.2 he would not match the ACL and therefore not be able to see encrypted passwords.
Does anyone know what is the syntax ?
I can't find specifics on how it works, but the acls contain a "set" command so something like:
access to <what> by set="dn=[uid=myadmin,ou=people,dc=mydomain,dc=org] & peername.ip=1.1.1.1" read
might work for you, although I don't know the actual syntax or if this is how it was meant to be used.
The ACL reference is here: http://www.openldap.org/doc/admin24/access-control.html
Kyle
2012/10/4 Mik J mikydevel@yahoo.fr
Hello,
I have this ACL that allows the users myadmin to list encrypted passwords
access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet by dn="uid=myadmin,ou=people,dc=mydomain,dc=org" read
However this user my admin is supposed to come from one IP 1.1.1.1 only. I think that the peername directive might help to achive this task but I don't know how to associate it with the user myadmin. In conclusion I would like that the user myadmin coming from IP 1.1.1.1 be able to see the encrypted passwords. If the user myadmin comes from another IP like 2.2.2.2 he would not match the ACL and therefore not be able to see encrypted passwords.
Does anyone know what is the syntax ?
Hello Kyle,
Thank you for your answer. I've implemented this solution and started slapd with -d 256 to make sure of the incoming IP address.Unfortunately this solution doesn't work. Regards
De : Kyle Smith alacer.cogitatus@gmail.com À : Mik J mikydevel@yahoo.fr
I can't find specifics on how it works, but the acls contain a "set" command so something like:
access to <what> by set="dn=[uid=myadmin,ou=people,dc=mydomain,dc=org] & peername.ip=1.1.1.1" read
might work for you, although I don't know the actual syntax or if this is how it was meant to be used.
The ACL reference is here: http://www.openldap.org/doc/admin24/access-control.html
Kyle
2012/10/4 Mik J mikydevel@yahoo.fr
Hello,
I have this ACL that allows the users myadmin to list encrypted passwords
access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet by dn="uid=myadmin,ou=people,dc=mydomain,dc=org" read
However this user my admin is supposed to come from one IP 1.1.1.1 only. I think that the peername directive might help to achive this task but I don't know how to associate it with the user myadmin. In conclusion I would like that the user myadmin coming from IP 1.1.1.1 be able to see the encrypted passwords. If the user myadmin comes from another IP like 2.2.2.2 he would not match the ACL and therefore not be able to see encrypted passwords.
Does anyone know what is the syntax ?
openldap-technical@openldap.org