Re: [389-users] access control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Monday, October 25, 2010 05:42:59 pm Rich Megginson wrote:
> > Anyone know how to set ACIs for connections using the socket interface?
> > 
> > I see we can restrict to IP address or hostname/domain, but I don't see 
> > anything for SLAPI.  Thanks in advance.  -A
> >
> >   
> 
> I think you mean LDAPI.  There is nothing explicit - however, you can 
> set access based on hostname or IP address.  I suppose, since an LDAPI 
> connection has no hostname or IP address, you might be able to use that 
> somehow.

Yes, Rich, you're right it's "ldapi".  Sorry about that.  I must be slapi-
happi ;)

However, in the access logs, it appears to use the name "local".

~#] ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-elburn.socket
<snip>
[25/Oct/2010:17:53:01 -0500] conn=1182 fd=69 slot=69 connection from local to 
/var/run/slapd-elburn.socket
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 BIND dn="" method=128 version=3
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 SRCH base="dc=messinet,dc=com" 
scope=2 filter="(objectClass=*)" attrs=ALL
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 UNBIND
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 fd=69 closed - U1
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 RESULT err=0 tag=101 nentries=0 
etime=0 notes=U

And using "local" with either "ip=" or "dns=" doesn't change the behavior.

Usage example: I'd like to let PHP/Apache connect to ldapi with specific 
accounts for different applications.  Right now, it seems like ldapi access is 
either all or nothing.

I could use autobind, but that wouldn't allow different PHP 
processes/applications to have separate access to different parts of the DIT 
as they would all connect via the "apache" user.

I used to use this capability when I used OpenLDAP via the

"by peername.path=/var/run/ldapi read" directive

Thanks again. -A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux