[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL using netgroups

To: openldap-software@OpenLDAP.org
Subject: ACL using netgroups
From: Claudio Strizzolo <Claudio.Strizzolo@ts.infn.it>
Date: Wed, 22 Nov 2006 08:49:31 +0100
User-agent: Thunderbird 1.5.0.8 (X11/20061108)

Hi all, I'd like to set up an ACL which allows access to a subtree only to a user, and only if the query is coming from a restricted set of hosts. Up to now I've been doing this:

access to dn.subtree="ou=People,dc=example,dc=com"
  by self read
  by dn="cn=myuser,dc=example.com" \
     peername.regex="10\.10\.10\.1[0-9]" read
  by * none

This works. However, the number of hosts to be allowed in this way is rapidly increasing, and it is not easy to group their addresses in such a way to make them easily summarized by a single regex, or a limited group of regexp. Moreover, for other reasons I have grouped the hosts in a netgroup inside the same database:

dn: cn=mynodes,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: mynodes
nisNetgroupTriple: (node0.example.com,-,-)
nisNetgroupTriple: (node1.example.com,-,-)
(...)
nisNetgroupTriple: (node9.example.com,-,-)

My question is: is there any way to set the ACL above in such a way to use this netgroup definition to limit access to the hosts listed in the netgroup AND to the user as above, at the same time? I'm dreaming of something like:

access to dn.subtree="ou=People,dc=example,dc=com"
  by self read
  by dn="cn=myuser,dc=example.com" \
     netgroup="cn=mynodes,ou=netgroup,dc=example,dc=com" read
  by * none

Any way to do something like this?
I beg your pardon if this is a stupid question, I'm just a LDAP beginner.
Thanks in advance

Claudio

Follow-Ups:
- Re: ACL using netgroups
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: is_entry_objectclass() no objectClass attribute
Next by Date: slapd + valsort using 100% CPU and causing slpad to become unresponsive
Index(es):
- Chronological
- Thread