[389-users] access control
Anthony Messina
amessina at messinet.com
Mon Oct 25 23:33:29 UTC 2010
On Monday, October 25, 2010 05:42:59 pm Rich Megginson wrote:
> > Anyone know how to set ACIs for connections using the socket interface?
> >
> > I see we can restrict to IP address or hostname/domain, but I don't see
> > anything for SLAPI. Thanks in advance. -A
> >
> >
>
> I think you mean LDAPI. There is nothing explicit - however, you can
> set access based on hostname or IP address. I suppose, since an LDAPI
> connection has no hostname or IP address, you might be able to use that
> somehow.
Yes, Rich, you're right it's "ldapi". Sorry about that. I must be slapi-
happi ;)
However, in the access logs, it appears to use the name "local".
~#] ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd-elburn.socket
<snip>
[25/Oct/2010:17:53:01 -0500] conn=1182 fd=69 slot=69 connection from local to
/var/run/slapd-elburn.socket
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 BIND dn="" method=128 version=3
[25/Oct/2010:17:53:01 -0500] conn=1182 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 SRCH base="dc=messinet,dc=com"
scope=2 filter="(objectClass=*)" attrs=ALL
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 UNBIND
[25/Oct/2010:17:53:01 -0500] conn=1182 op=2 fd=69 closed - U1
[25/Oct/2010:17:53:01 -0500] conn=1182 op=1 RESULT err=0 tag=101 nentries=0
etime=0 notes=U
And using "local" with either "ip=" or "dns=" doesn't change the behavior.
Usage example: I'd like to let PHP/Apache connect to ldapi with specific
accounts for different applications. Right now, it seems like ldapi access is
either all or nothing.
I could use autobind, but that wouldn't allow different PHP
processes/applications to have separate access to different parts of the DIT
as they would all connect via the "apache" user.
I used to use this capability when I used OpenLDAP via the
"by peername.path=/var/run/ldapi read" directive
Thanks again. -A
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20101025/af2bad45/attachment.sig>
More information about the 389-users
mailing list