[Date Prev][Date Next] [Chronological] [Thread] [Top]

Help needed with access control

To: openldap-software@OpenLDAP.org
Subject: Help needed with access control
From: Victor Danilchenko <danilche@cs.umass.edu>
Date: Thu, 12 Aug 2004 12:11:38 -0400 (EDT)

	Hi,

	First, a little background. I run an OpenLDAP server in a
department with Linux and OS/X workstations, and multiple distinct
administrative groups. Since the groups have distinct sets of computers
and arbitrary overlapping human membership, I solved the access control
problem by making each computer bind as a group DN
(cn=<group>,ou=Group,<baseDN>, using bindpw/binddn attributes for
pam_ldap and nss_ldap), and extending the eduPerson schema to allow user
entries to have group affiliation attributes. The actual access control
is then accomplished by mixing a filter <what> spec and a
'group/obectClass/attribute' <who> spec to control the read access to a
critical attribuite -- uidNumber in this case. For example:

access to filter=(cscfPersonGroupDN=cn=cscf,ou=Group,<baseDN>) attr=uidNumber
       by self read
       by dn="cn=cscf,ou=Group,<baseDN>" read
       by * -w break

	This scheme works quite well. However. I have been getting
pinged to implement a purely server-side access control, i.e. one that
doesn't involve client computers doing a bind before retrieving account
information -- something like Windows ADS and OS/X OpenDirectory do.

	Now the OS/X model is fundamentally broken -- apparently the
OS/X access control works by the OS/X OpenLDAP server providing advisory
access control information, and OS/X client taking the said info to
heart; which means that a Linux box bound to an OS/X LDAP server is not
subject to any access control *at all*. I haven't tried to bind a Linux
box to an ADS server, I don't know if it's even possible.

	What I am wondering is, is it possible to implement such
server-side access control *right* using OpenLDAP ACL syntax? That is,
to have in LDAP database groups of computers and groups of users, and to
write ACL specs in such a way that computers in a given group only allow
logins for users in a given group? The ACL man page describes 'peername'
<what> clause, but this requires an explicit list of IPs or IP ranges;
and the 'set' <what> clause looks like it could do the job, except that
there's no way to access connecting host's name or IP in the 'set'
clause.

	I am thinking about something like the following:

access to <who>
	by peername=[FQDNgroup/groupOfComputers/uniqueMember="cn=computerGroup,ou=computer_groups,<baseDN>"]

	so that to manipulate access control, the administrator would
merely have to manipulate the list of FQDNs in a given computer group.

	Is there some mechanism to implement equivalent control via
dynamic hostname list provided by an LDAP entry?

	BTW, any suggestions on improving my original control scheme
(via users' group affiliation attributes) are also welcome.

-- 
|  Victor  Danilchenko  | Of course my password is the same as    |
| danilche@cs.umass.edu | my pet's name. My macaw's name was      |
|   CSCF   |   5-4231   | Q47pY!3, but I change it every 90 days. |

Prev by Date: Re: Bind Fails on AIX 5.1 due to getaddrinfo parm
Next by Date: RE: SLAPD denial of connections under load
Index(es):
- Chronological
- Thread