Univention Bugzilla – Bug 43523
added ldap/acl/read/regex to slapd.conf template
Last modified: 2023-03-25 06:50:59 CET
http://www.openldap.org/doc/admin24/access-control.html Similar to ldap/acl/read/ips (valid IP address) we need a ldap/acl/read/regex, which allows access to something like 172\.17\.42\..*. access to dn.subtree="dc=four,dc=test" attrs=entry,uid by peername.regex=127\.0\.0\..* read by anonymous auth by * +0 break access to * by set="user & [cn=Domain Admins,cn=groups,dc=four,dc=test]/uniqueMember*" write by users read by peername.regex=127\.0\.0\..* read
I think it would be better to: * put the value into double quotes (peername.regex="foo") * value.strip() the value so that "foo, bar" is possible and not only "foo,bar" * escape/encode the value correctly via value.replace('\', '\\').replace('"', '\"')
Just curious: isn't ldap/acl/read/ips sufficient? Setting ucr set ldap/acl/read/ips=127.0.0.0%255.255.255.0 on my UCS 4.1 server results in this: ============================================================================= access to dn.subtree="dc=ar41i1,dc=qa" attrs=entry,uid by peername.ip=127.0.0.0%255.255.255.0 read by anonymous auth by * +0 break access to * by set="user & [cn=Domain Admins,cn=groups,dc=ar41i1,dc=qa]/uniqueMember*" write by users read by peername.ip=127.0.0.0%255.255.255.0 read =============================================================================
(In reply to Arvid Requate from comment #2) > Just curious: isn't ldap/acl/read/ips sufficient? Setting > > ucr set ldap/acl/read/ips=127.0.0.0%255.255.255.0 > > on my UCS 4.1 server results in this: > ============================================================================= > access to dn.subtree="dc=ar41i1,dc=qa" attrs=entry,uid > by peername.ip=127.0.0.0%255.255.255.0 read > by anonymous auth > by * +0 break > access to * > by set="user & [cn=Domain > Admins,cn=groups,dc=ar41i1,dc=qa]/uniqueMember*" write > by users read > by peername.ip=127.0.0.0%255.255.255.0 read > ============================================================================= OK, yes that works, reverted to peername.regex changes,
Ok, the description has been improved a bit, but that's fine. diff --git a/management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables b/management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables index 2b5976de71..a9e7edc944 100644 --- a/management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables +++ b/management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables [ldap/acl/read/ips] -Description[de]=Wenn die LDAP-Suche nur authentifiziert möglich ist (siehe 'ldap/acl/read/anonymous'), können einzelne IP-Adressen über diese Variable für den anonymen Lesezugriff freigeschaltet werden. Mehrere Werte werden durch Komma getrennt. -Description[en]=If only authenticated LDAP searches are allowed (see 'ldap/acl/read/anonymous'), individual IP addresses can be granted anonymous read permissions via this variable. Multiple values are separated by commas. +Description[de]=Wenn die LDAP-Suche nur authentifiziert möglich ist (siehe 'ldap/acl/read/anonymous'), können einzelne IP-Adressen über diese Variable für den anonymen Lesezugriff freigeschaltet werden. Mehrere Werte werden durch Komma getrennt (z.B. ldap/acl/read/ips='127.0.0.1,192.168.0.0%255.255.255.0'). +Description[en]=If only authenticated LDAP searches are allowed (see 'ldap/acl/read/anonymous'), individual IP addresses can be granted anonymous read permissions via this variable. Multiple values are separated by commas (e.g. ldap/acl/read/ips='127.0.0.1,192.168.0.0%255.255.255.0').