Emmanuel Dreyfus writes:
As far as I know, it is not possible to match an IP subnet. For instance, if I have an object like this: dn: cn=foo,o=example managedAddr: 192.0.2.0/24
And this kind of thing does not seems available: ldapsearch 'managedAddr:addressInSubnetMatch:=192.0.2.1'
Remember that even if it were, OpenLDAP does not support indexing for such filters. So each search would have to inspect every IP-subnet entry in scope.
That's another thing which would be quite nice if someone implemented someday: Indexing for extended filters. Not me though...
- can someone confirm this cannot be done yet?
It can't.
- is there a RFC to implement that does this? Or should I start with
what I have though about and presented above?
I would google around for ldap ip ranges and also look for Microsoft syntax/mathing rules first. No need to be different from them if they already have sensible definitions. (Except it might still be best to use our own OIDs; proprietary syntaxes/rules may be changed at any time.)
RFC 2307 has some IP address attributes, but not useful to search for ranges and subnets.
- is this functionnality welcome?
Well, we'd use it at our site - at least what supports indexing.
- where do I start to implement it? The thing happen in schema_init.c
and schema_prep.c, but I need to select an OID. How?
OpenLDAP has an experimental OID arc, but I don't know where to see which ones are used.
The motivation is DNS configuration stored in LDAP. That feature could enable the delegation of subnet management to different administrators, the access being enforced by slapd ACL.
At our site we store IP ranges as two integer attributes (start, end), and put an equality index on these attributes. In 2.4, equality index for integers also supports inequality filters <= and >=, so we can do an indexed search for (&(ipRangeStart<=value)(ipRangeEnd>=value)).
That doesn't allow us to have two IP ranges in the same LDAP entry though.
An alternative would be to use binary representation and substring match, but this strikes me as somewhat suboptimal:-)
BTW, one point to keep in mind: What do IP ranges look like in IPv6?