[389-users] access control

Anthony Messina amessina at messinet.com
Mon Oct 25 23:33:29 UTC 2010

On Monday, October 25, 2010 05:42:59 pm Rich Megginson wrote:
> > Anyone know how to set ACIs for connections using the socket interface?
> > 
> > I see we can restrict to IP address or hostname/domain, but I don't see 
> > anything for SLAPI.  Thanks in advance.  -A
> >
> >   
> I think you mean LDAPI.  There is nothing explicit - however, you can 
> set access based on hostname or IP address.  I suppose, since an LDAPI 
> connection has no hostname or IP address, you might be able to use that 
> somehow.

Yes, Rich, you're right it's "ldapi".  Sorry about that.  I must be slapi-
happi ;)

However, in the access logs, it appears to use the name "local".

~#] ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-elburn.socket
[25/Oct/2010:17:53:01 -0500] conn=1182 fd=69 slot=69 connection from local to 
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 BIND dn="" method=128 version=3
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 SRCH base="dc=messinet,dc=com" 
scope=2 filter="(objectClass=*)" attrs=ALL
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 UNBIND
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 fd=69 closed - U1
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 RESULT err=0 tag=101 nentries=0 
etime=0 notes=U

And using "local" with either "ip=" or "dns=" doesn't change the behavior.

Usage example: I'd like to let PHP/Apache connect to ldapi with specific 
accounts for different applications.  Right now, it seems like ldapi access is 
either all or nothing.

I could use autobind, but that wouldn't allow different PHP 
processes/applications to have separate access to different parts of the DIT 
as they would all connect via the "apache" user.

I used to use this capability when I used OpenLDAP via the

"by peername.path=/var/run/ldapi read" directive

Thanks again. -A

Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20101025/af2bad45/attachment.sig>

More information about the 389-users mailing list