[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Matching rule against IP subnet

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: Matching rule against IP subnet
From: Howard Chu <hyc@symas.com>
Date: Sun, 16 Nov 2008 00:39:43 -0800
Cc: openldap-devel@openldap.org
In-reply-to: <1iqhqba.19yz7g31y6a74bM%manu@netbsd.org>
References: <1iqhqba.19yz7g31y6a74bM%manu@netbsd.org>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b2pre) Gecko/20081115 SeaMonkey/2.0a1pre Firefox/3.0.3

Emmanuel Dreyfus wrote:

Howard Chu<hyc@symas.com>  wrote:

In my own domain-based directories I simply use the DN hierarchy:

       dc=doubleclick,dc=net,ou=spam,dc=highlandsun,dc=com
       dc=73,dc=216,dc=in-addr,dc=arpa,ou=spam,dc=highlandsun,dc=com


How do you get that working with BIND, for instance? The schema is
there:
http://www.venaas.no/ldap/bind-sdb/dnszone-schema.txt

I use my own schema and adapter code. Anything that maps hierarchical data onto LDAP without taking advantage of LDAP's hierarchy is inherently broken, IMO...


Exemple:
dn: relativeDomainName=host,o=home
objectClass: dNSZone
relativeDomainName: host
zoneName: example.net
dNSClass: IN
aRecord: 192.0.2.3

dn: relativeDomainName=3,zoneName=2.0.192.in-addr.arpa,o=home
objectClass: dNSZone
relativeDomainName: 3
zoneName: 2.0.192.in-addr.arpa
dNSClass: IN
pTRRecord: host.example.net.


This would instead look something like

dn: dc=host,dc=example,dc=net,o=home
objectClass: dnsZone
dc: host
dnsClass: IN
aRecord: 192.0.2.3

dn: dc=3,dc=2,dc=0,dc=192,dc=in-addr,dc=arpa,o=home
objectClass: dnsZone
dc: 3
dnsClass: IN
ptrRecord: host.example.net

Currently, we have everything needed to setup an ACL so that John Doe
can only set a pTRRecord within *.sales.example.net.  One just have to
setup a val.regex ACL.


value-based ACLs are fairly expensive. This should just be
	access to dn.sub="dc=sales,dc=example,dc=net,o=home" by foo ...
which is cheap...

But there is no way to tell that he can only set a pTRRecord within
192.0.2.128/25, therefore my inquiry on that topic.

And as I said before, subnets and domains are orthogonal. There is nothing in DNS to accommodate subnet notation, so you're still on your own here. A regex would probably be the best bet. Using hexadecimal RDNs would simplify things too.

dn: dc=03,dc=02,dc=00,dc=c0,dc=in-addr,dc=arpa,o=home

access to dn.regex="dc=[89abcdef].,dc=02,dc=00,dc=c0,dc=in-addr,dc=arpa,o=home" by foo ...

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Matching rule against IP subnet
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: Matching rule against IP subnet
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

References:
- Re: Matching rule against IP subnet
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: Matching rule against IP subnet
Next by Date: Re: Matching rule against IP subnet
Index(es):
- Chronological
- Thread