Hi Openldap Experts,
I'm designing a fairly simple openldap setup for our Melbourne office, but it's my first LDAP site, so I'm kinda guessing....
LdapServer1: Centos 5.3x64 with db-4.7.25 and openldap-2.4.16 and the clients are Linux Centos 5.2. I've already got everything working with the basic acl setup of 'access to * by * read', the challenge now is how to best secure the LDAP environment with the right acls?
Scenario 1) We'd like to restrict members to only be able to logon at certain machines. The concept I'm missing is, how does the LDAP protocol link the user authenticated to a hostname (machine user is sitting at)?
For example, user "cn=craig,ou=users,dc=example,dc=com" would like to log onto pc "craigpc.example.com ip:192.168.0.100".
From my study the following acls may work?
access to dn.base="cn=craig,ou=users,dc=example,dc=com" attrs=userPassword by peername.regex=IP:192.168.0.100 & self read by * none
Scenario 2) How to setup groups (or "sets" I believe they are called) in a way where user "Craig" can be added to the "sysadmin" group and in turn get full access to all our servers.
LDIF ENTRY: # sysadmin, groups, teratext.saic.com.au dn: cn=sysadmin,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: teratext member: cn=cht,ou=users,dc=example,dc=com member: cn=ajg,ou=users,dc=example,dc=com
ACCESS ENTRY: access to dn.subtree="ou=servers,dc=example,dc=com" by set="[cn=sysadmin,ou=groups,dc=example,dc=com]/member* & peername.regex=IP:192.168.0.*" auth by * none
cya
Craig