Claudio Strizzolo wrote:
>> Checking configuration files for slurpd:
/etc/openldap/userauth.acl:
>> line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com":
>> inappropriate syntax: 1.3.6.1.1.1.0.0
>> <access clause> ::= access to <what> [ by <who> <access>
[ <control>
>> ] ]+
>
> Could you please post a few sample lines of cn=linuxa
Here they are:
# linuxa, netgroup,
example.com
dn: cn=linuxa,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: linuxa
nisNetgroupTriple: (pclx01.example.com,-,-)
nisNetgroupTriple: (pclx02.example.com,-,-)
nisNetgroupTriple: (pclx03.example.com,-,-)
(...)
As already pointed out by Kurt, the "group" access requires the
member
attr to have DN syntax (or, as an exception, nameUID syntax: that of
uniqueMember, in short, for historical reasons). The syntax of
nisNetgroupTriple is 1.3.6.1.1.1.0.0 which is not DN syntax. Moreover,
the nisNetgroupTriple does not provide an equality rule, which means it
wouldn't be possible to compare instances of it, assuming one can
extract the hostname portion.
I don't see a clear solution to your problem which does not include
hacking the code. Perhaps you should consider redesigning your database
and your access control olicies: if you want to use grouping for access
control purposes, you should use LDAP groups ("groupOfNames" abjectClass
and "member" attribute); in any case, you shouldn't use peernames in
access control, as that require reverse lookups which are inherently
unsafe and thus inappropriate for access control which is related to
security. You should rather require authentication (any client which
doesn't support authentication shouldn't even be considered), and group
user DNs for access control purposes.
If you really really need to live with using netgroups for
authentication, you could develop a "dynacl" module; there's an example
in contrib/slapd-modules/acl/ which allows grouping in terms of posix
groups, based on the uidNumber. That plugin is not meant for
production, nor it should be seen as a valid idea to base access control
design on, but just as an example of how to code custom access checking.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------