On Monday, October 25, 2010 05:42:59 pm Rich Megginson wrote:
> Anyone know how to set ACIs for connections using the socket
interface?
>
> I see we can restrict to IP address or hostname/domain, but I don't see
> anything for SLAPI. Thanks in advance. -A
>
>
I think you mean LDAPI. There is nothing explicit - however, you can
set access based on hostname or IP address. I suppose, since an LDAPI
connection has no hostname or IP address, you might be able to use that
somehow.
Yes, Rich, you're right it's "ldapi". Sorry about that. I must be
slapi-
happi ;)
However, in the access logs, it appears to use the name "local".
~#] ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-elburn.socket
<snip>
[25/Oct/2010:17:53:01 -0500] conn=1182 fd=69 slot=69 connection from local to
/var/run/slapd-elburn.socket
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 BIND dn="" method=128 version=3
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 SRCH base="dc=messinet,dc=com"
scope=2 filter="(objectClass=*)" attrs=ALL
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 UNBIND
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 fd=69 closed - U1
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 RESULT err=0 tag=101 nentries=0
etime=0 notes=U
And using "local" with either "ip=" or "dns=" doesn't
change the behavior.
Usage example: I'd like to let PHP/Apache connect to ldapi with specific
accounts for different applications. Right now, it seems like ldapi access is
either all or nothing.
I could use autobind, but that wouldn't allow different PHP
processes/applications to have separate access to different parts of the DIT
as they would all connect via the "apache" user.
I used to use this capability when I used OpenLDAP via the
"by peername.path=/var/run/ldapi read" directive
Thanks again. -A
--
Anthony -
http://messinet.com -
http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E