From Claudio.Strizzolo@ts.infn.it Thu Nov 23 09:15:16 2006
From: Claudio Strizzolo <Claudio.Strizzolo@ts.infn.it>
To: openldap-software@openldap.org
Subject: Re: ACL using netgroups
Date: Thu, 23 Nov 2006 10:14:43 +0100
Message-ID: <45656683.90003@ts.infn.it>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2848986781235688966=="

--===============2848986781235688966==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi Dieter,

>> Hello Dieter,
>> thanks for your reply.
>> I tried as you suggested:
>>
>> by dn="cn=ldapauth,dc=example,dc=com" \
>> group/nisNetgroup/nisNetgroupTriple=cn=linuxa,ou=netgroup,dc=example,dc=com
>> read
>>
>> Unfortunately it does not work:
 >>
 >> [...]
>> 
>> If that matters, I am using openldap 2.2.13.

 > Ah your historic version might be a problem. I can't remember, in
 > which version the group expansion has been implemented.
 > My slapd.access(5) OpenLDAP-2.3.27 states
 > THE <WHO> FIELD
 >
 > [...]
 >     It can have the forms
 >
 >       [ other forms deleted ]
 >            group[/<objectclass>[/<attrname>]]

Actually I have the same syntax available in my slapd.access:

<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
         [dnattr=<attrname>]
         [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
         [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
         [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]

So probably the error is somewhere else. I report it again for the list 
(sorry, I replied to Dieter only instead of the list the first time):

Checking configuration files for slurpd: /etc/openldap/userauth.acl: 
line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com": inappropriate 
syntax: 1.3.6.1.1.1.0.0
<access clause> ::= access to <what> [ by <who> <access> [ <control> ] ]+
(...)

Any hints?
Thanks again

Claudio

--===============2848986781235688966==--


From dieter@dkluenter.de Thu Nov 23 15:49:45 2006
From: Dieter Kluenter <dieter@dkluenter.de>
To: openldap-software@openldap.org
Subject: Re: ACL using netgroups
Date: Thu, 23 Nov 2006 16:49:13 +0100
Message-ID: <8764d617uu.fsf@rubin.l4b.de>
In-Reply-To: <45656683.90003@ts.infn.it>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6831806860460072400=="

--===============6831806860460072400==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Claudio Strizzolo <Claudio.Strizzolo(a)ts.infn.it> writes:

> Hi Dieter,
>
>>> Hello Dieter,
>>> thanks for your reply.
>>> I tried as you suggested:
>>>
>>> by dn=3D"cn=3Dldapauth,dc=3Dexample,dc=3Dcom" \
>>> group/nisNetgroup/nisNetgroupTriple=3Dcn=3Dlinuxa,ou=3Dnetgroup,dc=3Dexam=
ple,dc=3Dcom
>>> read
>>>
>>> Unfortunately it does not work:
>  >>

> So probably the error is somewhere else. I report it again for the
> list (sorry, I replied to Dieter only instead of the list the first
> time):
>
> Checking configuration files for slurpd: /etc/openldap/userauth.acl:
> line 82: group "cn=3Dlinuxa,ou=3Dnetgroup,dc=3Dexample,dc=3Dcom":
> inappropriate syntax: 1.3.6.1.1.1.0.0
> <access clause> ::=3D access to <what> [ by <who> <access> [ <control> ] ]+

Could you please post a few sample lines of cn=3Dlinuxa=20

-Dieter

--=20
Dieter Kl=C3=BCnter | Systemberatung
http://www.dkluenter.de
N 53=C2=B037'10.08"
E 10=C2=B008'02.82"
GPG Key ID:8EF7B6C6


--===============6831806860460072400==--


From Claudio.Strizzolo@ts.infn.it Fri Nov 24 07:26:25 2006
From: Claudio Strizzolo <Claudio.Strizzolo@ts.infn.it>
To: openldap-software@openldap.org
Subject: Re: ACL using netgroups
Date: Fri, 24 Nov 2006 08:25:43 +0100
Message-ID: <45669E77.7000404@ts.infn.it>
In-Reply-To: <8764d617uu.fsf@rubin.l4b.de>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5335909449367668722=="

--===============5335909449367668722==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

>> Checking configuration files for slurpd: /etc/openldap/userauth.acl:
>> line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com":
>> inappropriate syntax: 1.3.6.1.1.1.0.0
>> <access clause> ::= access to <what> [ by <who> <access> [ <control> ] ]+
> 
> Could you please post a few sample lines of cn=linuxa 

Here they are:

# linuxa, netgroup, example.com
dn: cn=linuxa,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: linuxa
nisNetgroupTriple: (pclx01.example.com,-,-)
nisNetgroupTriple: (pclx02.example.com,-,-)
nisNetgroupTriple: (pclx03.example.com,-,-)
(...)

Greetings

Claudio

--===============5335909449367668722==--


From ando@sys-net.it Sat Nov 25 10:34:15 2006
From: Pierangelo Masarati <ando@sys-net.it>
To: openldap-software@openldap.org
Subject: Re: ACL using netgroups
Date: Sat, 25 Nov 2006 11:34:15 +0100
Message-ID: <45681C27.7030708@sys-net.it>
In-Reply-To: <45669E77.7000404@ts.infn.it>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0045682123127619519=="

--===============0045682123127619519==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Claudio Strizzolo wrote:
>>> Checking configuration files for slurpd: /etc/openldap/userauth.acl:
>>> line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com":
>>> inappropriate syntax: 1.3.6.1.1.1.0.0
>>> <access clause> ::= access to <what> [ by <who> <access> [ <control> 
>>> ] ]+
>>
>> Could you please post a few sample lines of cn=linuxa 
>
> Here they are:
>
> # linuxa, netgroup, example.com
> dn: cn=linuxa,ou=netgroup,dc=example,dc=com
> objectClass: nisNetgroup
> objectClass: top
> cn: linuxa
> nisNetgroupTriple: (pclx01.example.com,-,-)
> nisNetgroupTriple: (pclx02.example.com,-,-)
> nisNetgroupTriple: (pclx03.example.com,-,-)
> (...)
As already pointed out by Kurt, the "group" access requires the member 
attr to have DN syntax (or, as an exception, nameUID syntax: that of 
uniqueMember, in short, for historical reasons).  The syntax of 
nisNetgroupTriple is 1.3.6.1.1.1.0.0 which is not DN syntax.  Moreover, 
the nisNetgroupTriple does not provide an equality rule, which means it 
wouldn't be possible to compare instances of it, assuming one can 
extract the hostname portion.

I don't see a clear solution to your problem which does not include 
hacking the code.  Perhaps you should consider redesigning your database 
and your access control olicies: if you want to use grouping for access 
control purposes, you should use LDAP groups ("groupOfNames" abjectClass 
and "member" attribute); in any case, you shouldn't use peernames in 
access control, as that require reverse lookups which are inherently 
unsafe and thus inappropriate for access control which is related to 
security.  You should rather require authentication (any client which 
doesn't support authentication shouldn't even be considered), and group 
user DNs for access control purposes.

If you really really need to live with using netgroups for 
authentication, you could develop a "dynacl" module; there's an example 
in contrib/slapd-modules/acl/ which allows grouping in terms of posix 
groups, based on the uidNumber.  That plugin is not meant for 
production, nor it should be seen as a valid idea to base access control 
design on, but just as an example of how to code custom access checking.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati(a)sys-net.it
------------------------------------------


--===============0045682123127619519==--