[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question: a group of peernames ?

To: Robert J Gautier <rjg@ateb.co.uk>
Subject: Re: ACL Question: a group of peernames ?
From: Markus Benning <benning@erlm.siemens.de>
Date: Tue, 4 Dec 2001 10:31:26 +0100
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <20011203112136.B5148@erls02.siemens.de>; from benning@erlm.siemens.de on Mon, Dec 03, 2001 at 11:21:36AM +0100
References: <20011203105400.A5148@erls02.siemens.de> <Pine.LNX.4.33.0112031003350.1003-100000@grey.brynaeron.org> <20011203112136.B5148@erls02.siemens.de>
User-agent: Mutt/1.2.5i

Hi again,

what i want is something like this:

access to dn=(.*,)*ou=nis,o=myorg
        by group="cn=admins,ou=nis,o=myorg" write
        by users read
	by group_hosts="cn=groupOfHosts,ou=nis,o=myorg" read

it will be possible to limit anonymous read access to hosts in
a Group.
But this is not possible at the moment right ?
I found nothing about matching a peername in a group.

I'm thinking about adding this to my slapd.

Markus

On Mon, Dec 03, 2001 at 11:21:36AM +0100, Markus Benning wrote:
> > > Hi everyone,
> > >
> > > I'm searching for a way to Limit Access to a list of Hosts.
> > >
> > > Is it possible to have a group of hostnames and/or ips in
> > > the LDAP Tree and limit Access to hosts in that group ?
> > >
> > > An other way will to generate iptables rules out of
> > > the LDAP Directory with a little script.
> > > But this is not the perfect way.
> > 
> > That seems like a pretty good way:
> > 
> > 1) The access control is done in the kernel, so slapd isn't
> > 	bothered by attacks;
> > 
> > 2) Your script can be server-independent (e.g. could work with
> > 	some other LDAP server implementation);
> > 
> > 3) Your script can run in the firewall,	rather than on your LDAP
> > 	server host;
> > 
> > 4) Your access control can be more dynamic, responding to changes
> > 	in your LDAP directory content -- AFAIK ACLs can't be
> > 	changed at runtime.
> > 
> > Bob G
> 
> 1) Yes it will be faster in kernel than in slapd
> 
> 2) right, but i have only openldap servers
> 
> 3) i dont have control over the firewall
> 
> 4) when using ipchains a restart of the skript
>    is needed after every change.
> 
> But i think access control in slapd will be
> the better way for me because:
> - I can give finer permissions
>   I have 3 Directorys in my rootdn
>   not all host need access to all
>   Directorys.
> - Changes are relpicated to the slave
>   and no restart of a script is needed.

-- 
Markus Benning

   .^.
   /V\     Tel. : +49 9131 7 21713
 /(   )\   Email: Markus.Benning@siemens.com
  ^^-^^    __________________________________

References:
- ACL Question: a group of peernames ?
  - From: Markus Benning <benning@erlm.siemens.de>
- Re: ACL Question: a group of peernames ?
  - From: Robert J Gautier <rjg@ateb.co.uk>
- Re: ACL Question: a group of peernames ?
  - From: Markus Benning <benning@erlm.siemens.de>

Prev by Date: Re: OpenLDAP with tsl/ssl
Next by Date: How reload slapd?
Index(es):
- Chronological
- Thread