[Date Prev][Date Next]
Re: nssov change proposal
Kean Johnston wrote:
If this is the incorrect list to discuss nssov on please accept my
apologies and point me in the right direction. the docs don't indicate a
The nssov docs have no reason to say anything about that. The OpenLDAP mailing
list charters are all pretty clear. Software usage questions belong on the
-software list. The -devel list is for active OpenLDAP developers discussing
OpenLDAP coding issues.
First let me start with saying what I am trying to achieve. If there is an
alternate way to do this using memberof/dynlist I have not been able to
figure it out. I am trying to get host access based on group membership
working. Consider the following definition for 2 hosts:
The hostAccessGroup refers to the name of a group whose users can access
the machine. For example:
Given the above, user1, user2 and user3 will be able to access host1, and
user1 and user4 will be able to access host2.
It seems to me access based on group membership should be easy to do but I
have struggled with it immensely. I am new to LDAP so it is most likely a
lack of knowledge on my behalf but I have done a lot of research and have
not been able to find a way to do what I want. I know the nssov
documentation says the prefered mechanism is to use hostservice, and I
would like to, but I can't see how to create an ACL that would implement
the above. An alternative would be to use some existing group entry, such
as a posixGroup but that has even more complications as the memberUid is
just the UID and not a DN for a person.
The above is not going to work.
Given that I can't see a way I would like to propose either extending nssov
or perhaps writing a dynacl module that could help implement this. Before I
rush off and attempt a design I would like input from this list to see if
you think its a worthwhile idea.
No. There is already a documented way to do group-based access. Adding
multiple methods to do approximately the same thing == bloat.
The most basic example for your case is
access to dn.exact=cn=host1,ou=hosts,... attrs=authorizedService
by group.exact=cn=dbas,ou=access,... compare
Further refinements can of course be made but you should focus on mastering
the basics first.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/