Hi all, I'd like to set up an ACL which allows access to a subtree only to a user, and only if the query is coming from a restricted set of hosts. Up to now I've been doing this:
access to dn.subtree="ou=People,dc=example,dc=com" by self read by dn="cn=myuser,dc=example.com" \ peername.regex="10.10.10.1[0-9]" read by * none
This works. However, the number of hosts to be allowed in this way is rapidly increasing, and it is not easy to group their addresses in such a way to make them easily summarized by a single regex, or a limited group of regexp. Moreover, for other reasons I have grouped the hosts in a netgroup inside the same database:
dn: cn=mynodes,ou=netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: mynodes nisNetgroupTriple: (node0.example.com,-,-) nisNetgroupTriple: (node1.example.com,-,-) (...) nisNetgroupTriple: (node9.example.com,-,-)
My question is: is there any way to set the ACL above in such a way to use this netgroup definition to limit access to the hosts listed in the netgroup AND to the user as above, at the same time? I'm dreaming of something like:
access to dn.subtree="ou=People,dc=example,dc=com" by self read by dn="cn=myuser,dc=example.com" \ netgroup="cn=mynodes,ou=netgroup,dc=example,dc=com" read by * none
Any way to do something like this? I beg your pardon if this is a stupid question, I'm just a LDAP beginner. Thanks in advance
Claudio
Claudio Strizzolo Claudio.Strizzolo@ts.infn.it writes:
Hi all, I'd like to set up an ACL which allows access to a subtree only to a user, and only if the query is coming from a restricted set of hosts. Up to now I've been doing this:
access to dn.subtree="ou=People,dc=example,dc=com" by self read by dn="cn=myuser,dc=example.com" \ peername.regex="10.10.10.1[0-9]" read by * none
This works. However, the number of hosts to be allowed in this way is rapidly increasing, and it is not easy to group their addresses in such a way to make them easily summarized by a single regex, or a limited group of regexp. Moreover, for other reasons I have grouped the hosts in a netgroup inside the same database:
dn: cn=mynodes,ou=netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: mynodes nisNetgroupTriple: (node0.example.com,-,-) nisNetgroupTriple: (node1.example.com,-,-) (...) nisNetgroupTriple: (node9.example.com,-,-)
My question is: is there any way to set the ACL above in such a way to use this netgroup definition to limit access to the hosts listed in the netgroup AND to the user as above, at the same time? I'm dreaming of something like:
access to dn.subtree="ou=People,dc=example,dc=com" by self read by dn="cn=myuser,dc=example.com" \ netgroup="cn=mynodes,ou=netgroup,dc=example,dc=com" read by * none
Any way to do something like this? I beg your pardon if this is a stupid question, I'm just a LDAP beginner. Thanks in advance
man slapd.access(5) and http://www.openldap.org/faq/data/cache/52.html
group/nisNetgroup/nisNetgroupTriple=cn=mynodes,ou=netgroup,dc=example,dc=com
-Dieter
At 12:52 PM 11/22/2006, Dieter Kluenter wrote:
man slapd.access(5) and http://www.openldap.org/faq/data/cache/52.html
group/nisNetgroup/nisNetgroupTriple=cn=mynodes,ou=netgroup,dc=example,dc=com
This won't work as values of nisNetgroupTriple are not DNs (or NameAndOptionalUIDs). See the referenced materials.
openldap-software@openldap.org