[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: nssov change proposal
- To: Howard Chu <hyc@symas.com>
- Subject: Re: nssov change proposal
- From: Kean Johnston <kean.johnston@gmail.com>
- Date: Mon, 12 Apr 2010 04:08:47 -0500
- Cc: openldap-devel@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=P+eDt8z+q5egmuMph/Sl2gGN3OknLAsR0sVeBXWD1dQ=; b=ThMnms6wq5Ep7O1ySzYV7BlyiAny4Cs7+1TPX7pMArAEXcoLkmeAZiovYupmvEYWHm +t5ejiYBZaZUe3Drh6+Ztvkes/7adb220cGJFD60Iur1epve5bDbDXO9XV2W4PIdQPYW tdb65lJJ6x6Rln5cJ3iWP2OEaFI5fyf7ASn/A=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=QJ3VQU78Mo5MS2PxQSKNO56HcF0nKaUtJr5omVo4Ne9feEWGES8fspw996ZmEu33Hr CsjsqgRTloBLytUEqoJJSHXqXSDAGdJPHgnAQ5U+UPec7/SKjDxjRrrhQNsCh8svh3C9 7wQOZ1icgKnOklHJF9acMsj/hpJQyWhAfFWvo=
- In-reply-to: <4BC269BB.1060307@symas.com>
- References: <4BC2354B.2010207@gmail.com> <4BC269BB.1060307@symas.com>
- User-agent: Thunderbird 2.0.0.24 (Windows/20100228)
The most basic example for your case is
access to dn.exact=cn=host1,ou=hosts,... attrs=authorizedService
by group.exact=cn=dbas,ou=access,... compare
That is exactly what I currently have. The problem is this. There are
multiple hostAccessGroup's possible for each host. Its a list, not a single
group. The example you give works only for a single group. I guess it would
be possible to list the access groups in the ACL's rather than using an
attribute of the host, but that doesn't seem scalable to me. It also has
implications of security, as to change a host's access an administrator
will need permission to change ACL's which is considerably more "powerful"
operation than giving a sysadmin teh ability to add or remove
hostAccessGroup (or whatever attribute) from a host entry. It is also
moving the data away from where its relevant. The ou=hosts entries are
supposed to describe hosts. But this:
access to dn.exact=cn=host1,ou=hosts... attrs=authorizedService
by group.exact=cn=dbas,ou=access... compare
by group.exact=cn=admins,ou=access.. compare
access to dn.exact=cn-host2.....
access to dn.exact=host3....
etc etc ... seems to be less optimal than:
dn: cn=host1,...
hostAccessGroup: dbas
hostAccessGroup: admins
dn: cn=host2...
... etc etc.
It also has implications for management tools. In the one case (yours),
information about the host is split between the ou=hosts and the ACLs. In
the other, all information about the host is in the ou=hosts entry. In a
large organisation, I can see considerable problems if a basic sysadmin
requires rights to change ACL's (think: can grant himself access to HR
attributes) versus just being able to grant or deny access to ssh for a
given host.
Thoughts?
Kean