Michal, Thanks, that worked.
Brian -----Original Message----- From: Michal Dobroczynski [mailto:[EMAIL PROTECTED] Sent: Thursday, July 05, 2007 11:25 AM To: Brian Gaber Cc: openldap-software@openldap.org Subject: Re: Challenge With Access Control Add -h 10.16.13.84 or whatever the LDAP listens on to ldapsearch and try again. Regards, Michal On 05/07/07, Brian Gaber <[EMAIL PROTECTED]> wrote: > Michal, > > Tried your suggestion, ldapsearch still fails. Here is the log: > > Jul 5 11:09:31 ias2 slapd[11565]: entry_decode: > "SFTid=0002-00000000,ou=servers,o=sft" > Jul 5 11:09:31 ias2 slapd[11565]: <= > entry_decode(SFTid=0002-00000000,ou=servers,o=sft) > Jul 5 11:09:31 ias2 slapd[11565]: => > bdb_dn2id("SFTid=0002-00000000,ou=servers,o=sft") > Jul 5 11:09:31 ias2 slapd[11565]: <= bdb_dn2id: got id=0x00000030 Jul > 5 11:09:31 ias2 slapd[11565]: => test_filter > Jul 5 11:09:31 ias2 slapd[11565]: EQUALITY > Jul 5 11:09:31 ias2 slapd[11565]: => access_allowed: search access to > "SFTid=0002-00000000,ou=servers,o=sft" "SFTid" requested Jul 5 > 11:09:31 ias2 slapd[11565]: => acl_get: [1] attr SFTid Jul 5 11:09:31 > ias2 slapd[11565]: => acl_mask: access to entry > "SFTid=0002-00000000,ou=servers,o=sft", attr "SFTid" requested Jul 5 > 11:09:31 ias2 slapd[11565]: => acl_mask: to value by "", (=0) Jul 5 > 11:09:31 ias2 slapd[11565]: <= check a_dn_pat: self Jul 5 11:09:31 > ias2 slapd[11565]: <= check a_peername_path: 10.16.13.84 Jul 5 > 11:09:31 ias2 slapd[11565]: <= check a_peername_path: > IP=10.16.13.8[1-6]* > Jul 5 11:09:31 ias2 slapd[11565]: => acl_string_expand: pattern: > IP=10.16.13.8[1-6]* > Jul 5 11:09:31 ias2 slapd[11565]: => acl_string_expand: expanded: > IP=10.16.13.8[1-6]* > Jul 5 11:09:31 ias2 slapd[11565]: => regex_matches: string:^I > IP=127.0.0.1:46749 > Jul 5 11:09:31 ias2 slapd[11565]: => regex_matches: rc: 1 no matches > Jul 5 11:09:31 ias2 slapd[11565]: <= acl_mask: no more <who> clauses, > returning =0 (stop) Jul 5 11:09:31 ias2 slapd[11565]: => > access_allowed: search access denied by =0 Jul 5 11:09:31 ias2 > slapd[11565]: <= test_filter 50 Jul 5 11:09:31 ias2 slapd[11565]: > bdb_search: 48 does not match filter > > -----Original Message----- > From: Michal Dobroczynski [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 05, 2007 11:01 AM > To: Brian Gaber > Cc: openldap-software@openldap.org > Subject: Re: Challenge With Access Control > > As far as I understand the log - you need to include the port. This > should help then: > > by peername.regex="IP=10\.16\.13\.8[1-6]:[0-9]*" read > > Regards, > Michal > > On 05/07/07, Brian Gaber <[EMAIL PROTECTED]> wrote: > > Tried your suggestion and still have a problem. > > > > Here is the new slapd.conf: > > > > access to * > > by self write > > by peername.ip=10.16.13.84 write > > by peername.regex="IP=10\.16\.13\.8[1-6]" read > > > > Here is the log: > > > > entry_decode: "SFTid=0001-00000000,ou=servers,o=sft" > > Jul 5 10:46:35 ias2 slapd[11401]: <= > > entry_decode(SFTid=0001-00000000,ou=servers,o=sft) > > Jul 5 10:46:35 ias2 slapd[11401]: => > > bdb_dn2id("SFTid=0001-00000000,ou=servers,o=sft") > > Jul 5 10:46:35 ias2 slapd[11401]: <= bdb_dn2id: got id=0x0000002f > > Jul > > > 5 10:46:35 ias2 slapd[11401]: => test_filter > > Jul 5 10:46:35 ias2 slapd[11401]: EQUALITY > > Jul 5 10:46:35 ias2 slapd[11401]: => access_allowed: search access > > to > > > "SFTid=0001-00000000,ou=servers,o=sft" "SFTid" requested Jul 5 > > 10:46:35 ias2 slapd[11401]: => acl_get: [1] attr SFTid Jul 5 > > 10:46:35 > > > ias2 slapd[11401]: => acl_mask: access to entry > > "SFTid=0001-00000000,ou=servers,o=sft", attr "SFTid" requested Jul > > 5 > > 10:46:35 ias2 slapd[11401]: => acl_mask: to value by "", (=0) Jul 5 > > 10:46:35 ias2 slapd[11401]: <= check a_dn_pat: self Jul 5 10:46:35 > > ias2 slapd[11401]: <= check a_peername_path: 10.16.13.84 Jul 5 > > 10:46:35 ias2 slapd[11401]: <= check a_peername_path: > > IP=10.16.13.8[1-6] > > Jul 5 10:46:35 ias2 slapd[11401]: => acl_string_expand: pattern: > > IP=10.16.13.8[1-6] > > Jul 5 10:46:35 ias2 slapd[11401]: => acl_string_expand: expanded: > > IP=10.16.13.8[1-6] > > Jul 5 10:46:35 ias2 slapd[11401]: => regex_matches: string:^I > > IP=127.0.0.1:46504 > > Jul 5 10:46:35 ias2 slapd[11401]: => regex_matches: rc: 1 no > > matches Jul 5 10:46:35 ias2 slapd[11401]: <= acl_mask: no more > > <who> clauses, > > > returning =0 (stop) Jul 5 10:46:35 ias2 slapd[11401]: => > > access_allowed: search access denied by =0 Jul 5 10:46:35 ias2 > > slapd[11401]: <= test_filter 50 > > > > -----Original Message----- > > From: Michal Dobroczynski [mailto:[EMAIL PROTECTED] > > Sent: Thursday, July 05, 2007 10:36 AM > > To: Brian Gaber > > Cc: openldap-software@openldap.org > > Subject: Re: Challenge With Access Control > > > > On 05/07/07, Brian Gaber <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > Hope someone can explain this to me. I am sure it is very trivial. > > > > I > > > > > have a primary LDAP server (10.16.13.84), a replica LDAP server > > > (10.16.13.85) and a few clients all with a 10.16.13.x address. > > > > > > Here is the access control I thought would work: > > > > > > access to * > > > by self write > > > by peername=10.16.13.84 write > > > by peername=10.16.13.81 read > > > by peername=10.16.13.82 read > > > by peername=10.16.13.83 read > > > by peername=10.16.13.85 read > > > by peername=10.16.13.86 read > > > > > > Here is what does work: > > > > > > access to * > > > by self write > > > by peername.ip=10.16.13.84 write > > > by * read > > > > > > By work I mean that when I am on the replica (10.16.13.85) > > > and > > > > > issue an ldapsearch to itself I get a 32 no such object with the > > > top > > > > access, but I get the expected result with the bottom access. > > > > I am not 100% sure, but maybe this will help you (I am using similar > > ACL). AFAIR in the peername you need to add the "IP=" - but I don't > > really remember, please correct me. The regex matching directive > > that works for me looks like this: > > > > by peername.regex="IP=10\.10\.120\..+" read > > > > Then you could try: > > > > by peername.regex="IP=10\.16\.13\.8[1-6]" read > > > > And please double check if you need to supply the "IP=10.10.10.10" > > for > > > the "by peername" without regex. > > The regex solution will not conflict with the first entry as write > > permission includes reading (and ACL parsing stops on the first > > matched rule). > > > > Hope this helps. > > > > Regards, > > Michal > > > > > > > > Brian Gaber > > >