[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL using netgroups
Hi all,
I'd like to set up an ACL which allows access to a subtree only to a
user, and only if the query is coming from a restricted set of hosts.
Up to now I've been doing this:
access to dn.subtree="ou=People,dc=example,dc=com"
by self read
by dn="cn=myuser,dc=example.com" \
peername.regex="10\.10\.10\.1[0-9]" read
by * none
This works.
However, the number of hosts to be allowed in this way is rapidly
increasing, and it is not easy to group their addresses in such a way to
make them easily summarized by a single regex, or a limited group of regexp.
Moreover, for other reasons I have grouped the hosts in a netgroup
inside the same database:
dn: cn=mynodes,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: mynodes
nisNetgroupTriple: (node0.example.com,-,-)
nisNetgroupTriple: (node1.example.com,-,-)
(...)
nisNetgroupTriple: (node9.example.com,-,-)
My question is: is there any way to set the ACL above in such a way to
use this netgroup definition to limit access to the hosts listed in the
netgroup AND to the user as above, at the same time? I'm dreaming of
something like:
access to dn.subtree="ou=People,dc=example,dc=com"
by self read
by dn="cn=myuser,dc=example.com" \
netgroup="cn=mynodes,ou=netgroup,dc=example,dc=com" read
by * none
Any way to do something like this?
I beg your pardon if this is a stupid question, I'm just a LDAP beginner.
Thanks in advance
Claudio