Kean Johnston wrote:
If this is the incorrect list to discuss nssov on please accept my apologies and point me in the right direction. the docs don't indicate a better place.
The nssov docs have no reason to say anything about that. The OpenLDAP mailing list charters are all pretty clear. Software usage questions belong on the -software list. The -devel list is for active OpenLDAP developers discussing OpenLDAP coding issues.
First let me start with saying what I am trying to achieve. If there is an alternate way to do this using memberof/dynlist I have not been able to figure it out. I am trying to get host access based on group membership working. Consider the following definition for 2 hosts:
dn: cn=host1,ou=hosts,dc=example,dc=com objectClass: ipHost objectClass: myHostAccessObject cn: host1 ipHostNumber: 10.1.2.3 hostAccessGroup: admins hostAccessGroup: dbas authorizedService: sshd
dn: cn=host2,ou=hosts,dc=example,dc=com objectClass: ipHost objectClass: myHostAccessObject cn: host2 ipHostNumber: 10.2.3.4 hostAccessGroup: hrpeople hostAccessGroup: dbas authorizedService: sshd
The hostAccessGroup refers to the name of a group whose users can access the machine. For example:
dn: cn=admins,ou=access,dc=example,dc=com objectClass: groupOfNames cn: admins member: uid=user1,ou=people,dc=example,dc=com member: uid=user2,ou=people,dc=example,dc=com
dn: cn=dbas,ou=access,dc=example,dc=com objectClass: groupOfNames cn: dbas member: uid=user1,ou=people,dc=example,dc=com member: uid=user3,ou=people,dc=example,dc=com
dn: cn=hrpeople,ou=access,dc=example,dc=com objectClass: groupOfNames cn: hrpeople member: uid=user1,ou=people,dc=example,dc=com member: uid=user4,ou=people,dc=example,dc=com
Given the above, user1, user2 and user3 will be able to access host1, and user1 and user4 will be able to access host2.
It seems to me access based on group membership should be easy to do but I have struggled with it immensely. I am new to LDAP so it is most likely a lack of knowledge on my behalf but I have done a lot of research and have not been able to find a way to do what I want. I know the nssov documentation says the prefered mechanism is to use hostservice, and I would like to, but I can't see how to create an ACL that would implement the above. An alternative would be to use some existing group entry, such as a posixGroup but that has even more complications as the memberUid is just the UID and not a DN for a person.
The above is not going to work.
Given that I can't see a way I would like to propose either extending nssov or perhaps writing a dynacl module that could help implement this. Before I rush off and attempt a design I would like input from this list to see if you think its a worthwhile idea.
No. There is already a documented way to do group-based access. Adding multiple methods to do approximately the same thing == bloat.
The most basic example for your case is access to dn.exact=cn=host1,ou=hosts,... attrs=authorizedService by group.exact=cn=dbas,ou=access,... compare
Further refinements can of course be made but you should focus on mastering the basics first.