[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Matching rule against IP subnet



Emmanuel Dreyfus writes:
> As far as I know, it is not possible to match an IP subnet.
> For instance, if I have an object like this:
> dn: cn=foo,o=example
> managedAddr: 192.0.2.0/24
>
> And this kind of thing does not seems available:
> ldapsearch 'managedAddr:addressInSubnetMatch:=192.0.2.1'

Remember that even if it were, OpenLDAP does not support indexing for
such filters.  So each search would have to inspect every IP-subnet
entry in scope.

That's another thing which would be quite nice if someone implemented
someday: Indexing for extended filters.  Not me though...

> - can someone confirm this cannot be done yet?

It can't.

> - is there a RFC to implement that does this? Or should I start with
> what I have though about and presented above?

I would google around for ldap ip ranges and also look for Microsoft
syntax/mathing rules first.  No need to be different from them if
they already have sensible definitions.  (Except it might still
be best to use our own OIDs; proprietary syntaxes/rules may be
changed at any time.)

RFC 2307 has some IP address attributes, but not useful to search for
ranges and subnets.

> - is this functionnality welcome?

Well, we'd use it at our site - at least what supports indexing.

> - where do I start to implement it? The thing happen in schema_init.c
> and schema_prep.c, but I need to select an OID. How?

OpenLDAP has an experimental OID arc, but I don't know where to see
which ones are used.

> The motivation is DNS configuration stored in LDAP. That feature could
> enable the delegation of subnet management to different administrators,
> the access being enforced by slapd ACL.

At our site we store IP ranges as two integer attributes (start, end),
and put an equality index on these attributes.  In 2.4, equality index
for integers also supports inequality filters <= and >=, so we can do
an indexed search for (&(ipRangeStart<=value)(ipRangeEnd>=value)).

That doesn't allow us to have two IP ranges in the same LDAP entry
though.

An alternative would be to use binary representation and substring
match, but this strikes me as somewhat suboptimal:-)


BTW, one point to keep in mind: What do IP ranges look like in IPv6?

-- 
Hallvard