1:14 a.m.
Hi Dieter,
> Hello Dieter,
> thanks for your reply.
> I tried as you suggested:
>
> by dn="cn=ldapauth,dc=example,dc=com" \
> group/nisNetgroup/nisNetgroupTriple=cn=linuxa,ou=netgroup,dc=example,dc=com
> read
>
> Unfortunately it does not work:
>
> [...]
>
> If that matters, I am using openldap 2.2.13.
Ah your historic version might be a problem. I can't remember,
in
which version the group expansion has been implemented.
My slapd.access(5) OpenLDAP-2.3.27 states
THE <WHO> FIELD
[...]
It can have the forms
[ other forms deleted ]
group[/<objectclass>[/<attrname>]]
Actually I have the same syntax available in my slapd.access:
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
[dnattr=<attrname>]
[group[/<objectclass>[/<attrname>]][.<style>]=<group>]
[peername[.<peernamestyle>]=<peer>]
[sockname[.<style>]=<name>]
[domain[.<domainstyle>]=<domain>]
[sockurl[.<style>]=<url>]
So probably the error is somewhere else. I report it again for the list
(sorry, I replied to Dieter only instead of the list the first time):
Checking configuration files for slurpd: /etc/openldap/userauth.acl:
line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com": inappropriate
syntax: 1.3.6.1.1.1.0.0
<access clause> ::= access to <what> [ by <who> <access> [
<control> ] ]+
(...)
Any hints?
Thanks again
Claudio
7:49 a.m.
New subject: ACL using netgroups
Claudio Strizzolo <Claudio.Strizzolo(a)ts.infn.it> writes:
Hi Dieter,
>> Hello Dieter,
>> thanks for your reply.
>> I tried as you suggested:
>>
>> by dn="cn=ldapauth,dc=example,dc=com" \
>> group/nisNetgroup/nisNetgroupTriple=cn=linuxa,ou=netgroup,dc=example,dc=com
>> read
>>
>> Unfortunately it does not work:
>>
So probably the error is somewhere else. I report it again for the
list (sorry, I replied to Dieter only instead of the list the first
time):
Checking configuration files for slurpd: /etc/openldap/userauth.acl:
line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com":
inappropriate syntax: 1.3.6.1.1.1.0.0
<access clause> ::= access to <what> [ by <who> <access> [
<control> ] ]+
Could you please post a few sample lines of cn=linuxa
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
N 53°37'10.08"
E 10°08'02.82"
GPG Key ID:8EF7B6C6
11:25 p.m.
New subject: ACL using netgroups
> Checking configuration files for slurpd:
/etc/openldap/userauth.acl:
> line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com":
> inappropriate syntax: 1.3.6.1.1.1.0.0
> <access clause> ::= access to <what> [ by <who> <access> [
<control> ] ]+
Could you please post a few sample lines of cn=linuxa
Here they are:
# linuxa, netgroup, example.com
dn: cn=linuxa,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: linuxa
nisNetgroupTriple: (pclx01.example.com,-,-)
nisNetgroupTriple: (pclx02.example.com,-,-)
nisNetgroupTriple: (pclx03.example.com,-,-)
(...)
Greetings
Claudio
2:34 a.m.
New subject: ACL using netgroups
Claudio Strizzolo wrote:
>> Checking configuration files for slurpd:
/etc/openldap/userauth.acl:
>> line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com":
>> inappropriate syntax: 1.3.6.1.1.1.0.0
>> <access clause> ::= access to <what> [ by <who> <access>
[ <control>
>> ] ]+
>
> Could you please post a few sample lines of cn=linuxa
Here they are:
# linuxa, netgroup, example.com
dn: cn=linuxa,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: linuxa
nisNetgroupTriple: (pclx01.example.com,-,-)
nisNetgroupTriple: (pclx02.example.com,-,-)
nisNetgroupTriple: (pclx03.example.com,-,-)
(...)
As already pointed out by Kurt, the "group" access requires the
member
attr to have DN syntax (or, as an exception, nameUID syntax: that of
uniqueMember, in short, for historical reasons). The syntax of
nisNetgroupTriple is 1.3.6.1.1.1.0.0 which is not DN syntax. Moreover,
the nisNetgroupTriple does not provide an equality rule, which means it
wouldn't be possible to compare instances of it, assuming one can
extract the hostname portion.
I don't see a clear solution to your problem which does not include
hacking the code. Perhaps you should consider redesigning your database
and your access control olicies: if you want to use grouping for access
control purposes, you should use LDAP groups ("groupOfNames" abjectClass
and "member" attribute); in any case, you shouldn't use peernames in
access control, as that require reverse lookups which are inherently
unsafe and thus inappropriate for access control which is related to
security. You should rather require authentication (any client which
doesn't support authentication shouldn't even be considered), and group
user DNs for access control purposes.
If you really really need to live with using netgroups for
authentication, you could develop a "dynacl" module; there's an example
in contrib/slapd-modules/acl/ which allows grouping in terms of posix
groups, based on the uidNumber. That plugin is not meant for
production, nor it should be seen as a valid idea to base access control
design on, but just as an example of how to code custom access checking.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------
5907
days inactive
5909
days old
openldap-software@openldap.org
3 comments
3 participants
participants (3)
-
Claudio Strizzolo -
Dieter Kluenter -
Pierangelo Masarati