dn: cn=host1,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: myHostAccessObject
cn: host1
ipHostNumber: 10.1.2.3
hostAccessGroup: admins
hostAccessGroup: dbas
authorizedService: sshd
dn: cn=host2,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: myHostAccessObject
cn: host2
ipHostNumber: 10.2.3.4
hostAccessGroup: hrpeople
hostAccessGroup: dbas
authorizedService: sshd
The hostAccessGroup refers to the name of a group whose users can access
the machine. For example:
dn: cn=admins,ou=access,dc=example,dc=com
objectClass: groupOfNames
cn: admins
member: uid=user1,ou=people,dc=example,dc=com
member: uid=user2,ou=people,dc=example,dc=com
dn: cn=dbas,ou=access,dc=example,dc=com
objectClass: groupOfNames
cn: dbas
member: uid=user1,ou=people,dc=example,dc=com
member: uid=user3,ou=people,dc=example,dc=com
dn: cn=hrpeople,ou=access,dc=example,dc=com
objectClass: groupOfNames
cn: hrpeople
member: uid=user1,ou=people,dc=example,dc=com
member: uid=user4,ou=people,dc=example,dc=com
Given the above, user1, user2 and user3 will be able to access host1, and
user1 and user4 will be able to access host2.
It seems to me access based on group membership should be easy to do but I
have struggled with it immensely. I am new to LDAP so it is most likely a
lack of knowledge on my behalf but I have done a lot of research and have
not been able to find a way to do what I want. I know the nssov
documentation says the prefered mechanism is to use hostservice, and I
would like to, but I can't see how to create an ACL that would implement
the above. An alternative would be to use some existing group entry, such
as a posixGroup but that has even more complications as the memberUid is
just the UID and not a DN for a person.