Discussion:
olcAccess with combined "by who" condition
rss ln
2015-10-05 09:02:14 UTC
Permalink
Hello,

Is it possible to combine olcAccess "by who" condition for DN and IP
address, that both conditions must by true? Something like:

to dn.subtree="ou=test,dc=domain,dc=com"
by dn="uid=someuser,ou=users,dc=domain,dc=com" & peername.ip=10.10.10.10
read

So, it should be possible to read the subtree for the user only from the
specific IP address.

I tried also use "set=(...)" but without success.

Any chance to do that?
Quanah Gibson-Mount
2015-10-05 22:14:39 UTC
Permalink
Content preview: --On Monday, October 05, 2015 12:02 PM +0200 rss ln <***@gmail.com>
wrote: > > > > Hello, > > > Is it possible to combine olcAccess "by who"
condition for DN and IP > address, that both conditions must by true? Something
like: > > to dn.subtree="ou=test,dc=domain,dc=com" > by dn="uid=someuser,ou=users,dc=domain,dc=com"
& peername.ip=10.10.10.10 > read > > > So, it should be possible to read
the subtree for the user only from the > specific IP address. > > > I tried
also use "set=(...)" but without success. > > > Any chance to do that? [...]


Content analysis details: (-4.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[162.209.122.184 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: zimbra.com]
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Post by rss ln
Hello,
Is it possible to combine olcAccess "by who" condition for DN and IP
to dn.subtree="ou=test,dc=domain,dc=com"
by dn="uid=someuser,ou=users,dc=domain,dc=com" & peername.ip=10.10.10.10
read
So, it should be possible to read the subtree for the user only from the
specific IP address.
I tried also use "set=(...)" but without success.
Any chance to do that?
It is already noted in the slapd.access(5) man page that you can have
multiple requirements in the WHO clause. I.e., what you're asking for is
already implemented.

Try

by dn.exact="..." peername.ip=xxx read

--Quanah



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration

Loading...