access control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Monday, October 25, 2010 05:42:59 pm Rich Megginson wrote:
> > Anyone know how to set ACIs for connections using the socket interface?
> > 
> > I see we can restrict to IP address or hostname/domain, but I don't see 
> > anything for SLAPI.  Thanks in advance.  -A
> >
> >   
> 
> I think you mean LDAPI.  There is nothing explicit - however, you can 
> set access based on hostname or IP address.  I suppose, since an LDAPI 
> connection has no hostname or IP address, you might be able to use that 
> somehow.

Yes, Rich, you're right it's "ldapi".  Sorry about that.  I must be slapi-
happi ;)

However, in the access logs, it appears to use the name "local".

~#] ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-elburn.socket
<snip>
[25/Oct/2010:17:53:01 -0500] conn=1182 fd=69 slot=69 connection from local to 
/var/run/slapd-elburn.socket
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 BIND dn="" method=128 version=3
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 SRCH base="dc=messinet,dc=com" 
scope=2 filter="(objectClass=*)" attrs=ALL
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 UNBIND
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 fd=69 closed - U1
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 RESULT err=0 tag=101 nentries=0 
etime=0 notes=U

And using "local" with either "ip=" or "dns=" doesn't change the behavior.

Usage example: I'd like to let PHP/Apache connect to ldapi with specific 
accounts for different applications.  Right now, it seems like ldapi access is 
either all or nothing.

I could use autobind, but that wouldn't allow different PHP 
processes/applications to have separate access to different parts of the DIT 
as they would all connect via the "apache" user.

I used to use this capability when I used OpenLDAP via the

"by peername.path=/var/run/ldapi read" directive

Thanks again. -A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20101025/af2bad45/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux