[Date Prev][Date Next]
Re: ACL Question: a group of peernames ?
what i want is something like this:
access to dn=(.*,)*ou=nis,o=myorg
by group="cn=admins,ou=nis,o=myorg" write
by users read
by group_hosts="cn=groupOfHosts,ou=nis,o=myorg" read
it will be possible to limit anonymous read access to hosts in
But this is not possible at the moment right ?
I found nothing about matching a peername in a group.
I'm thinking about adding this to my slapd.
On Mon, Dec 03, 2001 at 11:21:36AM +0100, Markus Benning wrote:
> > > Hi everyone,
> > >
> > > I'm searching for a way to Limit Access to a list of Hosts.
> > >
> > > Is it possible to have a group of hostnames and/or ips in
> > > the LDAP Tree and limit Access to hosts in that group ?
> > >
> > > An other way will to generate iptables rules out of
> > > the LDAP Directory with a little script.
> > > But this is not the perfect way.
> > That seems like a pretty good way:
> > 1) The access control is done in the kernel, so slapd isn't
> > bothered by attacks;
> > 2) Your script can be server-independent (e.g. could work with
> > some other LDAP server implementation);
> > 3) Your script can run in the firewall, rather than on your LDAP
> > server host;
> > 4) Your access control can be more dynamic, responding to changes
> > in your LDAP directory content -- AFAIK ACLs can't be
> > changed at runtime.
> > Bob G
> 1) Yes it will be faster in kernel than in slapd
> 2) right, but i have only openldap servers
> 3) i dont have control over the firewall
> 4) when using ipchains a restart of the skript
> is needed after every change.
> But i think access control in slapd will be
> the better way for me because:
> - I can give finer permissions
> I have 3 Directorys in my rootdn
> not all host need access to all
> - Changes are relpicated to the slave
> and no restart of a script is needed.
/V\ Tel. : +49 9131 7 21713
/( )\ Email: Markus.Benning@siemens.com