[Fedora-directory-users] NIS groups->LDAP migration and ACIs

Jonathan Barber jon at compbio.dundee.ac.uk
Mon Jan 9 15:16:08 UTC 2006 

Hi all,
   I'm in the process of migrating from NIS to FDS and I'm running into
problems implementing our requirements for access control under Fedora.

The behaviour I'm trying to replicate is as follows; our current NIS
administration tool allows the creation of users who are designated as
group administrators. These are normal users who can modify user details
and create users in NIS, but only for users who are in the same group as
the group administrator.

The DIT we're currently using is currently flatish, with three branches
at the root; one for users (dn: ou=people,ou=foo), one for groups (dn:
ou=groups,ou=foo), and one for other NIS maps (dn: ou=nis, ou=foo).

Users and groups have been imported from NIS as RFC2307 posixAccounts
and posixGroups.

e.g.:

dn: uid=test,ou=people,ou=foo
givenName: Nemo
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: test
cn: Nemo (GJB)
homeDirectory: /homes/test

dn: cn=servers,ou=groups,ou=foo
gidNumber: 1000
memberUid: bar
memberUid: baz
objectClass: posixgroup
objectClass: top
cn: servers

We plan to use PADL's ypldapd for legacy NIS.

In addition to the NIS groups, I've created a groupofUniqueNames object
(dn: cn=grp_admin,ou=groups,ou=foo) to list those users who are our
group administrators.

So far I've got the following (working) ACI on the ou=groups,ou=foo
entry:

(targetattr = "memberUid")
(target = "ldap:///cn=*,ou=groups,ou=foo")
(
 version 3.0;
 acl "group edit by admin's";
 allow (write)
 (
  groupdn = "ldap:///cn=admin,ou=groups,ou=foo" and
  userattr = "gidnumber#1000"
 );
)

Which as long as users are in grp_admin and have a gidnumber of 1000,
allows addition/deletion of users from the group. But this doesn't
strike me as being very elegant as it requires a seperate ACI for each
group. What I'd prefer is something similar to the following:

(targetattr = "memberUid")
(target = "ldap:///cn=*,ou=groups,ou=foo")
(
 version 3.0;
 acl "group edit by admin's";
 allow (write)
 (
  groupdn = "ldap:///cn=admin,ou=groups,ou=foo" and
  userattr = "gidnumber#($attr.gidnumber)"
 );
)

Using the ($attr.gidnumber) macro to matchup the user's GID and the
groups GID. Is it possible to do something like this, or am I missing an
obvious solution?

Likewise, I have an ACI for restricting the creation of users to have the same
group as the creator (in this case GID 1000):

(targetattrfilter = "add=gidnumber:(gidnumber=1000)")
(target = "ldap:///ou=people,ou=foo")
(
 version 3.0;
 acl "user edit by admin's - restrict GID to admin's";
 allow (add)
 (
  groupdn = "ldap:///cn=admin,ou=groups,ou=foo" and
  userattr = "gidnumber#1000"
 );
)

But again it suffers from the problem affecting the group ACI, requiring an ACI
per group.

Any help would be welcomed.
-- 
Jonathan Barber

More information about the Fedora-directory-users mailing list