[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs by netgroup?



Hi,

thanks for responding.

Here's a more specific example of what I'd like to do:

Suppose we have a manager whose DN is
uid=benevolentmanager,ou=People,dc=example,dc=com

and worker bees who report to benevolentmanager (earlier I referred to these
people as 'reports').  Their DNs are:
dn: uid=workerbee1,ou=People,dc=example,dc=com
dn: uid=workerbee2,ou=People,dc=example,dc=com
dn: uid=workerbee3,ou=People,dc=example,dc=com

The workerbees are grouped in netgroups like so:
# storage, Netgroup, example.com
dn: cn=storage,ou=Netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: storage
nisNetgroupTriple: (-,workerbee1,)
nisNetgroupTriple: (-,workerbee2,)
nisNetgroupTriple: (-,workerbee3,)

and in Groups, like so:
# storage, Groups, example.com
dn: cn=storage,ou=Groups,dc=example,dc=com
cn: storage
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=workerbee1,ou=People,dc=example,dc=com
uniqueMember: uid=workerbee2,ou=People,dc=example,dc=com
uniqueMember: uid=workerbee3,ou=People,dc=example,dc=com

As you would guess, we also have many more managers, workerbees, netgroups, and
groups.

In slapd.conf, we currently allow 2 people to change the workerbees' passwords:
manager and self.  "manager" is the ldap manager, not the benevolentmanager.

slapd.conf looks like so:
access to attr=userPassword
        by self write
        by dn.base="cn=Manager,dc=example,dc=com" write
        by anonymous auth
        by * none

I'd like to expand access to attr=userPassword so that benevolentmanager may
write the values of attr=userPassword for those workerbees reporting to
him/her. 

The best I can come up with is this:
access   to
dn.regex="uid=(workerbee1|workerbee2|workerbee3),ou=People,dc=example,dc=com"
         attr=userPassword
         by self write
         by dn.base="cn=Manager,dc=example,dc=com" write
         by dn.base="uid=benevolentmanager,ou=People,dc=example,dc=com"
         by anonymous auth
         by * none

It is important to specify which of the workerbees' passwords our
benevolentmanager may update, so that we don't give him/her excessive access.

Specifying the workerbees' various DNs by regex works, but also has drawbacks. 
Grouping the workerbees' DNs via regex is redundant with our existing groupings
(in netgroups and groups)...and the redundant configurations open opportunity
for configuration error.  Ideally,  we would specify the "what" portion of the
ACL via netgroup.  To do so, I believe we need to use an ldapfilter to return
the dn of each uid specified in a given netgroup.  Unfortunately, I haven't
figured out how to do that.  Do you have suggestions?

An alternative would be to use "groups" to specify the DN of the workerbees in
the "to what" portion of the ACL.  Unfortunately,  that task also eludes me.  
Do you have suggestions?

In the "by who" portion of the ACL, I see that you can specify DNs by using
groups (with the syntax below).   If the same capability existed for the "to
what" portion of the ACL, it would be very convenient/useful (albeit more than 
 what rfc2254 outlines).

by
group/groupOfUniqueNames/uniqueMember="cn=someGroup,ou=Groups,dc=example,dc=com"
write 

thanks for your time,
sam

--- Pierangelo Masarati <ando@sys-net.it> wrote:

> On Fri, 2006-02-03 at 15:02 -0800, samuel gipe wrote:
> > Hi All,
> > 
> > Using the ldap search filter terminology (rfc 2254), is it possible to
> return
> > the dn of each uid specified in a given netgroup?
> > 
> > I am trying to designate a slapd.conf ACL which allows one to write the
> > userPassword and shadowLastChange field of members of the given netgroups. 
> > Ultimately, I would like to allow managers to change the passwords of their
> > reports (who are listed in netgroups).
> > 
> > Generally, is it possible to define the "to what" portion of ACLs via
> > netgroups.
> > 
> > Things I've done prior to mailing include but are not limited to: man
> > slapd.conf, man slapd.access, reading the Oreilly book, reading rfc2254,
> > experimentation.
> 
> I'm pretty sure it can be done, although I'm not sure I understand what
> you're trying to do.  Please clarify terms like "netgroup", "managers"
> and "reports" in terms of corresponding LDAP entities (e.g. attributes,
> objectClasses and so)
> 
> p.
> 
> 
> 
> 
> Ing. Pierangelo Masarati
> Responsabile Open Solution
> OpenLDAP Core Team
> 
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office:   +39.02.23998309          
> Mobile:   +39.333.4963172
> Email:    pierangelo.masarati@sys-net.it
> ------------------------------------------
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com