[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question: a group of peernames ?



Hi again,

what i want is something like this:

access to dn=(.*,)*ou=nis,o=myorg
        by group="cn=admins,ou=nis,o=myorg" write
        by users read
	by group_hosts="cn=groupOfHosts,ou=nis,o=myorg" read

it will be possible to limit anonymous read access to hosts in
a Group.
But this is not possible at the moment right ?
I found nothing about matching a peername in a group.

I'm thinking about adding this to my slapd.

Markus

On Mon, Dec 03, 2001 at 11:21:36AM +0100, Markus Benning wrote:
> > > Hi everyone,
> > >
> > > I'm searching for a way to Limit Access to a list of Hosts.
> > >
> > > Is it possible to have a group of hostnames and/or ips in
> > > the LDAP Tree and limit Access to hosts in that group ?
> > >
> > > An other way will to generate iptables rules out of
> > > the LDAP Directory with a little script.
> > > But this is not the perfect way.
> > 
> > That seems like a pretty good way:
> > 
> > 1) The access control is done in the kernel, so slapd isn't
> > 	bothered by attacks;
> > 
> > 2) Your script can be server-independent (e.g. could work with
> > 	some other LDAP server implementation);
> > 
> > 3) Your script can run in the firewall,	rather than on your LDAP
> > 	server host;
> > 
> > 4) Your access control can be more dynamic, responding to changes
> > 	in your LDAP directory content -- AFAIK ACLs can't be
> > 	changed at runtime.
> > 
> > Bob G
> 
> 1) Yes it will be faster in kernel than in slapd
> 
> 2) right, but i have only openldap servers
> 
> 3) i dont have control over the firewall
> 
> 4) when using ipchains a restart of the skript
>    is needed after every change.
> 
> But i think access control in slapd will be
> the better way for me because:
> - I can give finer permissions
>   I have 3 Directorys in my rootdn
>   not all host need access to all
>   Directorys.
> - Changes are relpicated to the slave
>   and no restart of a script is needed.

-- 
Markus Benning

   .^.
   /V\     Tel. : +49 9131 7 21713
 /(   )\   Email: Markus.Benning@siemens.com
  ^^-^^    __________________________________