Emmanuel Dreyfus wrote:
Howard Chuhyc@symas.com wrote:
In my own domain-based directories I simply use the DN hierarchy:
dc=doubleclick,dc=net,ou=spam,dc=highlandsun,dc=com dc=73,dc=216,dc=in-addr,dc=arpa,ou=spam,dc=highlandsun,dc=comHow do you get that working with BIND, for instance? The schema is there: http://www.venaas.no/ldap/bind-sdb/dnszone-schema.txt
I use my own schema and adapter code. Anything that maps hierarchical data onto LDAP without taking advantage of LDAP's hierarchy is inherently broken, IMO...
Exemple: dn: relativeDomainName=host,o=home objectClass: dNSZone relativeDomainName: host zoneName: example.net dNSClass: IN aRecord: 192.0.2.3
dn: relativeDomainName=3,zoneName=2.0.192.in-addr.arpa,o=home objectClass: dNSZone relativeDomainName: 3 zoneName: 2.0.192.in-addr.arpa dNSClass: IN pTRRecord: host.example.net.
This would instead look something like
dn: dc=host,dc=example,dc=net,o=home objectClass: dnsZone dc: host dnsClass: IN aRecord: 192.0.2.3
dn: dc=3,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa,o=home objectClass: dnsZone dc: 3 dnsClass: IN ptrRecord: host.example.net
Currently, we have everything needed to setup an ACL so that John Doe can only set a pTRRecord within *.sales.example.net. One just have to setup a val.regex ACL.
value-based ACLs are fairly expensive. This should just be access to dn.sub="dc=sales,dc=example,dc=net,o=home" by foo ... which is cheap...
But there is no way to tell that he can only set a pTRRecord within 192.0.2.128/25, therefore my inquiry on that topic.
And as I said before, subnets and domains are orthogonal. There is nothing in DNS to accommodate subnet notation, so you're still on your own here. A regex would probably be the best bet. Using hexadecimal RDNs would simplify things too.
dn: dc=03,dc=02,dc=00,dc=c0,dc=in-addr,dc=arpa,o=home
access to dn.regex="dc=[89abcdef].,dc=02,dc=00,dc=c0,dc=in-addr,dc=arpa,o=home" by foo ...