On 13/07/14 05:03, Mladen Sekara wrote:
Just out of curiosity, is there a way to have host,group,users defined in ldap, so each host uses the same base dn, but depending on host/group in ldap, only groups that are assign to that host will be available?
Use netgroups if feasible, that's roughly what you are describing. Object class nisNetgroup in nis.schema (RFC2307). Membership is resolved on the client side instead of with ACLs in the server. They can be annoying to use, though: The syntax is idiotic, it doesn't accept e.g underscore (_) in user names. You can replace nis.schema with a non-standard schema "rfc2307bis" if you need to get around that. That schema also has other changes like making posixGroup auxiliary, so you will need to add a structural objectclass to your posixGroup objects. You cannot search for netgroup membership in LDAP, only read a group and then scan its member list. Which is recursive - netgroups can have netgroups for members. Hopefully you can leave that to your OS - nss_ldap and the like - instead of coding it yourself. Beware that the RFC2307 examples do not match its syntax definition. I think the the syntax (section 2.4) is correct, it says you use nisNetgroupTriple: (host,user,domain) where each component can be empty. But the example in appendix A uses nisNetgroupTriple: (user,host,domain) -- Hallvard
