--On Tuesday, October 06, 2009 4:34 PM +1100 Craig T sysadmin@shakenbake.net wrote:
Hi Openldap Experts,
I'm designing a fairly simple openldap setup for our Melbourne office, but it's my first LDAP site, so I'm kinda guessing....
LdapServer1: Centos 5.3x64 with db-4.7.25 and openldap-2.4.16 and the clients are Linux Centos 5.2. I've already got everything working with the basic acl setup of 'access to * by * read', the challenge now is how to best secure the LDAP environment with the right acls?
Upgrade to OpenLDAP 2.4.19 (latest stable).
Scenario 1) We'd like to restrict members to only be able to logon at certain machines. The concept I'm missing is, how does the LDAP protocol link the user authenticated to a hostname (machine user is sitting at)?
For example, user "cn=craig,ou=users,dc=example,dc=com" would like to log onto pc "craigpc.example.com ip:192.168.0.100".
From my study the following acls may work?
access to dn.base="cn=craig,ou=users,dc=example,dc=com" attrs=userPassword by peername.regex=IP:192.168.0.100 & self read by * none
Check out the nss-ldapd stuff in <src>/contrib/
Scenario 2) How to setup groups (or "sets" I believe they are called) in a way where user "Craig" can be added to the "sysadmin" group and in turn get full access to all our servers.
LDIF ENTRY: # sysadmin, groups, teratext.saic.com.au dn: cn=sysadmin,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: teratext member: cn=cht,ou=users,dc=example,dc=com member: cn=ajg,ou=users,dc=example,dc=com
ACCESS ENTRY: access to dn.subtree="ou=servers,dc=example,dc=com"
I'd suggest re-reading the slapd.access(5) man page. Particularly the access to ... by group.dn=... Sets are very expensive, and groups are naturally supported.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration