[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
nssov change proposal
- To: openldap-devel@openldap.org
- Subject: nssov change proposal
- From: Kean Johnston <kean.johnston@gmail.com>
- Date: Sun, 11 Apr 2010 15:47:07 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=t5vhsIYbSz6qXq/javZwYmPz8H30oGqubr6PtN3xRkE=; b=SnDZ5kEWIbXMzKs9IOU2aV77snSnTWSWSa/aRaGVb4HRuUfWpa5OoYlsViC4sytu1U +TlN8zzzxKLoxUSn0EzMNUe4+PXcwy2o5S8A44nx/V4HMO0B6skMBiFeQooP9d9ryv7i a6GZLCAtXzol3a6shLw6XFRCVDZFtLnt23W4E=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=FZVdvH3Bc1GPE1Y2mRmNFsM0gArBbYnFVJs5iZHHo54HqYfpFlg+a+f7hZGjAYUKFG QkfSGel8OtrsjSY5cG8sve8BFg/L7RCamOwoUS2wpUBTWYYyF2C3PBTJ2NBSmc50wEW+ DPiftev7XzVAbNIoigm964e6f+Z2p7kjgOze8=
- User-agent: Thunderbird 2.0.0.24 (Windows/20100228)
If this is the incorrect list to discuss nssov on please accept my
apologies and point me in the right direction. the docs don't indicate a
better place.
First let me start with saying what I am trying to achieve. If there is an
alternate way to do this using memberof/dynlist I have not been able to
figure it out. I am trying to get host access based on group membership
working. Consider the following definition for 2 hosts:
dn: cn=host1,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: myHostAccessObject
cn: host1
ipHostNumber: 10.1.2.3
hostAccessGroup: admins
hostAccessGroup: dbas
authorizedService: sshd
dn: cn=host2,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: myHostAccessObject
cn: host2
ipHostNumber: 10.2.3.4
hostAccessGroup: hrpeople
hostAccessGroup: dbas
authorizedService: sshd
The hostAccessGroup refers to the name of a group whose users can access
the machine. For example:
dn: cn=admins,ou=access,dc=example,dc=com
objectClass: groupOfNames
cn: admins
member: uid=user1,ou=people,dc=example,dc=com
member: uid=user2,ou=people,dc=example,dc=com
dn: cn=dbas,ou=access,dc=example,dc=com
objectClass: groupOfNames
cn: dbas
member: uid=user1,ou=people,dc=example,dc=com
member: uid=user3,ou=people,dc=example,dc=com
dn: cn=hrpeople,ou=access,dc=example,dc=com
objectClass: groupOfNames
cn: hrpeople
member: uid=user1,ou=people,dc=example,dc=com
member: uid=user4,ou=people,dc=example,dc=com
Given the above, user1, user2 and user3 will be able to access host1, and
user1 and user4 will be able to access host2.
It seems to me access based on group membership should be easy to do but I
have struggled with it immensely. I am new to LDAP so it is most likely a
lack of knowledge on my behalf but I have done a lot of research and have
not been able to find a way to do what I want. I know the nssov
documentation says the prefered mechanism is to use hostservice, and I
would like to, but I can't see how to create an ACL that would implement
the above. An alternative would be to use some existing group entry, such
as a posixGroup but that has even more complications as the memberUid is
just the UID and not a DN for a person.
Given that I can't see a way I would like to propose either extending nssov
or perhaps writing a dynacl module that could help implement this. Before I
rush off and attempt a design I would like input from this list to see if
you think its a worthwhile idea.
Thank you for your time.
Kean.