> > Unfortunately I can't find any hints what "0.0.0.0%0.0.0.0" means. Can
> > anyone explain that?
>
>
> It's documented in the slapd.access(5) man page, in the section about
> "peername".
Thanks for the reply Quanah. Unfortunately I still don't get it. From the
section in the man page I removed the parts about domains, sockets and IPv6 to
make it easier to read which leaves me with this:
The statement peername=<peername> means that the contacting host IP (in the
form IP=<ip>:<port> for IPv4) for peername is compared against pattern to
determine access.
The same style rules for pattern match described for the group case apply, plus
the regex style, which implies submatch expand and regex match of the
corresponding connection parameters.
The exact style of the <peername> clause (the default) implies a case-exact
match on the client's IP, including the IP= prefix and the trailing :<port>.
The special ip style interprets the pattern as <peername>=<ip>[%<mask>][{<n>}],
where <ip> and <mask> are dotted digit representations of the IP and the mask,
while <n>, delimited by curly brackets, is an optional port.
When checking access privileges, the IP portion of the peername is extracted,
eliminating the IP= prefix and the :<port> part, and it is compared against the
<ip> portion of the pattern after masking with <mask>: ((peername & <mask>) ==
<ip>).
As an example, peername.ip=127.0.0.1 allows connections only from localhost,
peername.ip=192.168.1.0%255.255.255.0 allows connections from any IP in the
192.168.1 class C domain,
and peername.ip=192.168.1.16%255.255.255.240{9009} allows connections from any
IP in the 192.168.1.[16-31] range of the same domain, only if port 9009 is used.
The expand style is allowed, implying an exact match with submatch expansion;
the use of expand as a style modifier is considered more appropriate.
>From this edited man-page excerpt I can easily determine that
>peername.ip=10.10.0.0%255.255.0.0 would allow access for any hosts in the
>10.10.0.0/16 IP-range. The subnet mask part in my case is also clear. However
>I still don't know what exact meaning the IP part 0.0.0.0 has.
Anyone willing to elaborate? Am I correct in assuming
peername.ip=0.0.0.0%0.0.0.0 allows access to any IP?
Best regards and have a nice weekend,
Cyril
