Hi Dieter,
Hello Dieter, thanks for your reply. I tried as you suggested:
by dn="cn=ldapauth,dc=example,dc=com" \ group/nisNetgroup/nisNetgroupTriple=cn=linuxa,ou=netgroup,dc=example,dc=com read
Unfortunately it does not work:
[...]
If that matters, I am using openldap 2.2.13.
Ah your historic version might be a problem. I can't remember, in which version the group expansion has been implemented. My slapd.access(5) OpenLDAP-2.3.27 states THE <WHO> FIELD
[...] It can have the forms
[ other forms deleted ] group[/<objectclass>[/<attrname>]]
Actually I have the same syntax available in my slapd.access:
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [dnattr=<attrname>] [group[/<objectclass>[/<attrname>]][.<style>]=<group>] [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
So probably the error is somewhere else. I report it again for the list (sorry, I replied to Dieter only instead of the list the first time):
Checking configuration files for slurpd: /etc/openldap/userauth.acl: line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com": inappropriate syntax: 1.3.6.1.1.1.0.0 <access clause> ::= access to <what> [ by <who> <access> [ <control> ] ]+ (...)
Any hints? Thanks again
Claudio
Claudio Strizzolo Claudio.Strizzolo@ts.infn.it writes:
Hi Dieter,
Hello Dieter, thanks for your reply. I tried as you suggested:
by dn="cn=ldapauth,dc=example,dc=com" \ group/nisNetgroup/nisNetgroupTriple=cn=linuxa,ou=netgroup,dc=example,dc=com read
Unfortunately it does not work:
So probably the error is somewhere else. I report it again for the list (sorry, I replied to Dieter only instead of the list the first time):
Checking configuration files for slurpd: /etc/openldap/userauth.acl: line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com": inappropriate syntax: 1.3.6.1.1.1.0.0 <access clause> ::= access to <what> [ by <who> <access> [ <control> ] ]+
Could you please post a few sample lines of cn=linuxa
-Dieter
Checking configuration files for slurpd: /etc/openldap/userauth.acl: line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com": inappropriate syntax: 1.3.6.1.1.1.0.0 <access clause> ::= access to <what> [ by <who> <access> [ <control> ] ]+
Could you please post a few sample lines of cn=linuxa
Here they are:
# linuxa, netgroup, example.com dn: cn=linuxa,ou=netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: linuxa nisNetgroupTriple: (pclx01.example.com,-,-) nisNetgroupTriple: (pclx02.example.com,-,-) nisNetgroupTriple: (pclx03.example.com,-,-) (...)
Greetings
Claudio
Claudio Strizzolo wrote:
Checking configuration files for slurpd: /etc/openldap/userauth.acl: line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com": inappropriate syntax: 1.3.6.1.1.1.0.0 <access clause> ::= access to <what> [ by <who> <access> [ <control> ] ]+
Could you please post a few sample lines of cn=linuxa
Here they are:
# linuxa, netgroup, example.com dn: cn=linuxa,ou=netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: linuxa nisNetgroupTriple: (pclx01.example.com,-,-) nisNetgroupTriple: (pclx02.example.com,-,-) nisNetgroupTriple: (pclx03.example.com,-,-) (...)
As already pointed out by Kurt, the "group" access requires the member attr to have DN syntax (or, as an exception, nameUID syntax: that of uniqueMember, in short, for historical reasons). The syntax of nisNetgroupTriple is 1.3.6.1.1.1.0.0 which is not DN syntax. Moreover, the nisNetgroupTriple does not provide an equality rule, which means it wouldn't be possible to compare instances of it, assuming one can extract the hostname portion.
I don't see a clear solution to your problem which does not include hacking the code. Perhaps you should consider redesigning your database and your access control olicies: if you want to use grouping for access control purposes, you should use LDAP groups ("groupOfNames" abjectClass and "member" attribute); in any case, you shouldn't use peernames in access control, as that require reverse lookups which are inherently unsafe and thus inappropriate for access control which is related to security. You should rather require authentication (any client which doesn't support authentication shouldn't even be considered), and group user DNs for access control purposes.
If you really really need to live with using netgroups for authentication, you could develop a "dynacl" module; there's an example in contrib/slapd-modules/acl/ which allows grouping in terms of posix groups, based on the uidNumber. That plugin is not meant for production, nor it should be seen as a valid idea to base access control design on, but just as an example of how to code custom access checking.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
openldap-software@openldap.org
-
Claudio Strizzolo -
Dieter Kluenter -
Pierangelo Masarati