[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL using netgroups



Claudio Strizzolo <Claudio.Strizzolo@ts.infn.it> writes:

> Hi all,
> I'd like to set up an ACL which allows access to a subtree only to a
> user, and only if the query is coming from a restricted set of hosts.
> Up to now I've been doing this:
>
> access to dn.subtree="ou=People,dc=example,dc=com"
>    by self read
>    by dn="cn=myuser,dc=example.com" \
>       peername.regex="10\.10\.10\.1[0-9]" read
>    by * none
>
> This works.
> However, the number of hosts to be allowed in this way is rapidly
> increasing, and it is not easy to group their addresses in such a way
> to make them easily summarized by a single regex, or a limited group
> of regexp.
> Moreover, for other reasons I have grouped the hosts in a netgroup
> inside the same database:
>
> dn: cn=mynodes,ou=netgroup,dc=example,dc=com
> objectClass: nisNetgroup
> objectClass: top
> cn: mynodes
> nisNetgroupTriple: (node0.example.com,-,-)
> nisNetgroupTriple: (node1.example.com,-,-)
> (...)
> nisNetgroupTriple: (node9.example.com,-,-)
>
> My question is: is there any way to set the ACL above in such a way to
> use this netgroup definition to limit access to the hosts listed in
> the netgroup AND to the user as above, at the same time? I'm dreaming
> of something like:
>
> access to dn.subtree="ou=People,dc=example,dc=com"
>    by self read
>    by dn="cn=myuser,dc=example.com" \
>       netgroup="cn=mynodes,ou=netgroup,dc=example,dc=com" read
>    by * none
>
> Any way to do something like this?
> I beg your pardon if this is a stupid question, I'm just a LDAP beginner.
> Thanks in advance

man slapd.access(5) and http://www.openldap.org/faq/data/cache/52.html

group/nisNetgroup/nisNetgroupTriple=cn=mynodes,ou=netgroup,dc=example,dc=com

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
N 53°37'10.08"
E 10°08'02.82"
GPG Key ID:8EF7B6C6