[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL using netgroups

To: Claudio Strizzolo <Claudio.Strizzolo@ts.infn.it>
Subject: Re: ACL using netgroups
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 25 Nov 2006 11:34:15 +0100
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-software@openldap.org
In-reply-to: <45669E77.7000404@ts.infn.it>
References: <45656683.90003@ts.infn.it> <8764d617uu.fsf@rubin.l4b.de> <45669E77.7000404@ts.infn.it>
User-agent: Mail/News 1.5.0.7 (X11/20060916)

Claudio Strizzolo wrote:

Checking configuration files for slurpd: /etc/openldap/userauth.acl: line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com": inappropriate syntax: 1.3.6.1.1.1.0.0 <access clause> ::= access to <what> [ by <who> <access> [ <control> ] ]+
Could you please post a few sample lines of cn=linuxa
Here they are:
# linuxa, netgroup, example.com
dn: cn=linuxa,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: linuxa
nisNetgroupTriple: (pclx01.example.com,-,-)
nisNetgroupTriple: (pclx02.example.com,-,-)
nisNetgroupTriple: (pclx03.example.com,-,-)
(...)

As already pointed out by Kurt, the "group" access requires the member attr to have DN syntax (or, as an exception, nameUID syntax: that of uniqueMember, in short, for historical reasons). The syntax of nisNetgroupTriple is 1.3.6.1.1.1.0.0 which is not DN syntax. Moreover, the nisNetgroupTriple does not provide an equality rule, which means it wouldn't be possible to compare instances of it, assuming one can extract the hostname portion.

I don't see a clear solution to your problem which does not include hacking the code. Perhaps you should consider redesigning your database and your access control olicies: if you want to use grouping for access control purposes, you should use LDAP groups ("groupOfNames" abjectClass and "member" attribute); in any case, you shouldn't use peernames in access control, as that require reverse lookups which are inherently unsafe and thus inappropriate for access control which is related to security. You should rather require authentication (any client which doesn't support authentication shouldn't even be considered), and group user DNs for access control purposes.

If you really really need to live with using netgroups for authentication, you could develop a "dynacl" module; there's an example in contrib/slapd-modules/acl/ which allows grouping in terms of posix groups, based on the uidNumber. That plugin is not meant for production, nor it should be seen as a valid idea to base access control design on, but just as an example of how to code custom access checking.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

References:
- Re: ACL using netgroups
  - From: Claudio Strizzolo <Claudio.Strizzolo@ts.infn.it>
- Re: ACL using netgroups
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: ACL using netgroups
  - From: Claudio Strizzolo <Claudio.Strizzolo@ts.infn.it>

Prev by Date: Re: ppolicy - getting to work
Next by Date: performance loss on real time linux
Index(es):
- Chronological
- Thread