[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL using netgroups



Hi all,
I'd like to set up an ACL which allows access to a subtree only to a user, and only if the query is coming from a restricted set of hosts.
Up to now I've been doing this:


access to dn.subtree="ou=People,dc=example,dc=com"
  by self read
  by dn="cn=myuser,dc=example.com" \
     peername.regex="10\.10\.10\.1[0-9]" read
  by * none

This works.
However, the number of hosts to be allowed in this way is rapidly increasing, and it is not easy to group their addresses in such a way to make them easily summarized by a single regex, or a limited group of regexp.
Moreover, for other reasons I have grouped the hosts in a netgroup inside the same database:


dn: cn=mynodes,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: mynodes
nisNetgroupTriple: (node0.example.com,-,-)
nisNetgroupTriple: (node1.example.com,-,-)
(...)
nisNetgroupTriple: (node9.example.com,-,-)

My question is: is there any way to set the ACL above in such a way to use this netgroup definition to limit access to the hosts listed in the netgroup AND to the user as above, at the same time? I'm dreaming of something like:

access to dn.subtree="ou=People,dc=example,dc=com"
  by self read
  by dn="cn=myuser,dc=example.com" \
     netgroup="cn=mynodes,ou=netgroup,dc=example,dc=com" read
  by * none

Any way to do something like this?
I beg your pardon if this is a stupid question, I'm just a LDAP beginner.
Thanks in advance

Claudio