IP ACI Not Working properly
I have been trying to set up an ACI that restricts a certain user to only be able to modify user information if they are coming from a certain IP. When I put the IP into the ACI, I get anonymous level access and just get back the information associated with that. Now if I remove the IP restriction, or exclude our subnet ( ip != "1.2.3.*") it will work like it should. I checked all the logs as well as the server connections, and the specific IP is connecting and the logs say the correct information as well. I am using DS 6.0 as well if that helps.
[559 byte] By [
UNO-AD-HMa] at [2007-11-27 6:21:49]
# 1
I turned on some ACL logging to see if it could help me out in resolving this issue, and it just confuses me even further. It's basically stating that the ip being returned is the correct one, but it's not being sent a success on access. I went ahead and created an ACI that was only for the IP address...
(target = ldap:///ou=people,dc=sample,dc=com) (targetscope = subtree) (targetattr="*") (version 3.0; acl "Test Permissions"; allow (all, import, export) (ip = "x.x.x.39");)
Then this is what the log says after I try to connect...
.....
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - ***BEGIN of ACL INFO[ Name: "Test Permissions"]***
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - ACL Index:2294ACL_ELEVEL:8
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - ACI type:(compare search read write delete add self target_DN target_attr acltxt allow_rule )
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - ACI RULE type:(ip )
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Slapi_Entry DN:ou=people,dc=sample,dc=com
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Handle:341163a8
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 -END OF INFO*****************************
.....
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Evaluating ALLOW aci index:2294
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Returning client ip address 'x.x.x.39'<--this is the right IP
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Processed:2294 ALLOW handles Result:3
.....
[04/Jun/2007:14:31:04 -0500] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - acl_summary(main): access_not_allowed(read) on entry/attr(uid=test2,ou=people,dc=sample,dc=com, title) to (uid=test,ou=test,dc=sample,dc=com) (not proxied) (reason: no acis matched the subject )
Not sure what is going on here, looks like to me this should be good, if I remove the IP restriction(I was keying off the dn and a authmethod before), it works just fine and sends a success. Anyone have any clues?
Message was edited by:
UNO-AD-HM
