Internet DRAFT - draft-bannister-dbis-netgroup
draft-bannister-dbis-netgroup
Internet Draft M. R. Bannister
<draft-bannister-dbis-netgroup-05.txt> Prose Consulting Ltd.
Category: Informational July 24, 2015
Expires January 25, 2016
Directory-Based Information Services:
Netgroups and Netservices
Status of this Memo
Distribution of this memo is unlimited.
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 25, 2016.
Comments are solicited and should be addressed to the author.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Bannister, Mark R. Expires January 25, 2016 [Page 1]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
Abstract
This document extends Directory-Based Information Services (DBIS)
described in [draft-bannister-dbis-mapping-00] to support netgroup
and netservice databases.
A netgroup database schema SHALL be backwards compatible with the
Network Information Service [NIS] but stored within [X.500] entries
so that they may be resolved with the Lightweight Directory Access
Protocol [RFC4510]. A netgroup database represents groups of hosts,
users and domains.
A netservice database schema is a new extension to netgroups that
allows administrators to describe services or configuration options
for a user or system based upon their netgroup membership.
This document describes configuration maps [draft-bannister-dbis-
mapping-00] for netgroup and netservice databases, and database
entries referenced by those maps.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED" and "MAY" in this document are
to be interpreted as described in [RFC2119].
Table of Contents
1. Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Domains . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Common ABNF Productions . . . . . . . . . . . . . . . . . . 4
2. Configuration Maps . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Example Configuration Map Entries . . . . . . . . . . . . . 4
3. Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. netgroup . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1.1. Definition . . . . . . . . . . . . . . . . . . . . . . 5
3.1.2. Object Classes . . . . . . . . . . . . . . . . . . . . 5
3.1.2.1. Introduction . . . . . . . . . . . . . . . . . . . 5
3.1.2.2. dbisNetgroupConfig . . . . . . . . . . . . . . . . 6
3.1.2.3. netgroupObject . . . . . . . . . . . . . . . . . . 6
3.1.3. Attributes . . . . . . . . . . . . . . . . . . . . . . 6
3.1.3.1. en . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.3.2. netgroupHost . . . . . . . . . . . . . . . . . . . 6
3.1.3.3. netgroupUser . . . . . . . . . . . . . . . . . . . 7
3.1.3.4. netgroupTriple . . . . . . . . . . . . . . . . . . 7
3.1.3.5. exactNetgroup . . . . . . . . . . . . . . . . . . . 8
3.1.3.6. description . . . . . . . . . . . . . . . . . . . . 8
3.1.3.7. manager . . . . . . . . . . . . . . . . . . . . . . 8
3.1.3.8. disableObject . . . . . . . . . . . . . . . . . . . 8
Bannister, Mark R. Expires January 25, 2016 [Page 2]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
3.1.4. Example Netgroup Entry . . . . . . . . . . . . . . . . 9
3.1.5. Determining Host Membership . . . . . . . . . . . . . . 9
3.1.6. Determining User Membership . . . . . . . . . . . . . . 9
3.2. netservice . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.1. Definition . . . . . . . . . . . . . . . . . . . . . . 10
3.2.2. Object Classes . . . . . . . . . . . . . . . . . . . . 10
3.2.2.1. Introduction . . . . . . . . . . . . . . . . . . . 11
3.2.2.2. dbisNetserviceConfig . . . . . . . . . . . . . . . 11
3.2.2.3. netserviceObject . . . . . . . . . . . . . . . . . 11
3.2.2.4. netserviceDescriptor . . . . . . . . . . . . . . . 11
3.2.3. Attributes . . . . . . . . . . . . . . . . . . . . . . 11
3.2.3.1. en . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2.3.2. exactNetgroup . . . . . . . . . . . . . . . . . . . 12
3.2.3.3. exactNetservice . . . . . . . . . . . . . . . . . . 12
3.2.3.4. description . . . . . . . . . . . . . . . . . . . . 12
3.2.3.5. manager . . . . . . . . . . . . . . . . . . . . . . 13
3.2.3.6. disableObject . . . . . . . . . . . . . . . . . . . 13
3.2.4. Example Netservice Entries . . . . . . . . . . . . . . 13
4. Common Attributes . . . . . . . . . . . . . . . . . . . . . . . 14
4.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2. notNetgroup . . . . . . . . . . . . . . . . . . . . . . . . 14
5. Attribute Syntax . . . . . . . . . . . . . . . . . . . . . . . 15
6. Implementation Notes . . . . . . . . . . . . . . . . . . . . . 15
6.1. NIS Netgroups . . . . . . . . . . . . . . . . . . . . . . . 15
6.2. Forming netgroupHost or netgroupUser Entries . . . . . . . 16
6.3. Common Search Filters . . . . . . . . . . . . . . . . . . . 16
6.3.1. Search Parameters . . . . . . . . . . . . . . . . . . . 16
6.3.2. Find Configuration Map for Domain . . . . . . . . . . . 17
6.3.3. List All Entries . . . . . . . . . . . . . . . . . . . 17
6.3.4. Find Specific Netgroup or Netservice . . . . . . . . . 17
6.3.5. Find Netgroups By Membership . . . . . . . . . . . . . 18
6.3.6. Member of a Specific Netgroup . . . . . . . . . . . . . 18
6.3.7. Which Netgroups are Enabled? . . . . . . . . . . . . . 19
6.3.8. Find Netservices By Membership . . . . . . . . . . . . 19
6.3.9. Member of a Specific Netservice . . . . . . . . . . . . 20
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 20
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
8.1. Normative References . . . . . . . . . . . . . . . . . . . 20
8.2. Informative References . . . . . . . . . . . . . . . . . . 21
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 21
1. Concepts
1.1. Domains
The term "domain" used within this document does not refer to DBIS
domains [draft-bannister-dbis-mapping-00] but rather to DNS domains
[RFC1034].
Bannister, Mark R. Expires January 25, 2016 [Page 3]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
1.2. Common ABNF Productions
A number of attributes in this document are described using ABNF
notation defined in [RFC5234]. These attributes rely on the
productions defined below as well as those defined in section 1.4 of
[RFC4512]:
ALPHA-LOW = %x61-7A ; lowercase "a"-"z"
ASTERISK = %x2A ; asterisk "*"
ATSIGN = %x40 ; at sign "@"
COLON = %x3A ; colon ":"
SLASH = %x2F ; forward slash "/"
non-alpha = DIGIT / HYPHEN / USCORE
keyname = 1*(ALPHA / non-alpha)
keyname-low = 1*(ALPHA-LOW / non-alpha)
2. Configuration Maps
2.1. Scope
All databases described in this document use the standard
configuration maps defined in [draft-bannister-dbis-mapping-00],
section 3.
Additionally, dbisMapConfig entries for netgroup and netservice
databases SHALL have assigned the object classes dbisNetgroupConfig
and dbisNetserviceConfig respectively.
It is RECOMMENDED that the dbisMapConfig entry for a netgroup or
netservice database have the dbisMapFilter attribute set according to
the following table:
---------------------------------------------------
Database dbisMapFilter
---------------------------------------------------
netgroup objectClass=netgroupObject
netservice objectClass=netserviceDescriptor
---------------------------------------------------
2.2. Example Configuration Map Entries
The following gives an example of a configuration map entry for a
netgroup database:
dn: cn=netgroup,en=sales.corp,ou=domain-mappings,o=infra
objectClass: top
objectClass: dbisMapConfig
Bannister, Mark R. Expires January 25, 2016 [Page 4]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
objectClass: dbisNetgroupConfig
cn: netgroup
dbisMapDN: cn=netgroup,ou=dbis,o=infra
dbisMapFilter: objectClass=netgroupObject
profileTTL: 900
description: Primary netgroup database
The following gives an example of a configuration map entry for a
netservice database:
dn: cn=netservice,en=sales.corp,ou=domain-mappings,
o=infra
objectClass: top
objectClass: dbisMapConfig
objectClass: dbisNetserviceConfig
cn: netservice
dbisMapDN: cn=netservice,ou=dbis,o=infra
dbisMapFilter: objectClass=netserviceDescriptor
profileTTL: 900
description: Primary netservice database
3. Database
3.1. netgroup
3.1.1. Definition
A netgroup database contains entries that represent hosts, users and
domains and which are associated with a case sensitive netgroup name.
DBIS netgroups allow groups of users and hosts to be defined with the
following scope variance:
- All users on all hosts in a given domain.
- All users on specific hosts.
- Named users regardless of host.
- Named users on all hosts in a given domain.
- Named users on specific hosts.
3.1.2. Object Classes
3.1.2.1. Introduction
A dbisMapConfig entry for a netgroup database SHALL be assigned the
Bannister, Mark R. Expires January 25, 2016 [Page 5]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
object class dbisNetgroupConfig.
A netgroup SHALL be defined by an LDAP entry with the object class
netgroupObject.
3.1.2.2. dbisNetgroupConfig
The dbisNetgroupConfig class is defined as follows:
objectclass ( 1.3.6.1.4.1.23780.219.1.3 NAME 'dbisNetgroupConfig'
DESC 'DBIS netgroup configuration map'
SUP dbisMapConfig STRUCTURAL )
3.1.2.3. netgroupObject
The netgroupObject class is defined as follows:
objectclass ( 1.3.6.1.4.1.23780.219.1.4 NAME 'netgroupObject'
DESC 'DBIS netgroup entry'
SUP top STRUCTURAL
MUST en
MAY ( netgroupHost $ netgroupUser $ netgroupTriple $
exactNetgroup $ description $ manager $ disableObject ) )
3.1.3. Attributes
3.1.3.1. en
The name of the netgroup is stored in the LDAP attribute en which is
defined in [draft-bannister-dbis-mapping-00]. The en attribute MUST
be associated with a netgroupObject entry and SHALL form the RDN.
If required, alias entries may be defined according to section 2.6 of
[RFC4512] and as permitted by section 1.2 of [draft-bannister-dbis-
mapping-00].
3.1.3.2. netgroupHost
A host that is a member of a netgroup is stored in the netgroupHost
attribute that MAY be assigned to a netgroupObject entry:
attributetype ( 1.3.6.1.4.1.23780.219.2.8 NAME 'netgroupHost'
DESC 'Host or domain that is assigned to a netgroup'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
The string representation of the netgroupHost attribute SHALL match
the following grammar, which uses the common ABNF productions defined
Bannister, Mark R. Expires January 25, 2016 [Page 6]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
in section 1.2 of this document:
host = keyname-low
domain = keyname-low *(DOT keyname-low)
host-domain = host DOT domain
all-domain = ASTERISK DOT domain
netgroupHost = host / host-domain / all-domain
A DUA SHALL de-reference any aliases and convert host name and domain
name components to lower case characters prior to forming a
netgroupHost attribute or filter containing one. This is explained
further in section 6.2 of this document.
3.1.3.3. netgroupUser
A user who is a member of a netgroup is stored in the netgroupUser
attribute that MAY be assigned to a netgroupObject entry:
attributetype ( 1.3.6.1.4.1.23780.219.2.9 NAME 'netgroupUser'
DESC 'User who is assigned to a netgroup'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
The string representation of the netgroupUser attribute SHALL match
the following grammar, which uses the common ABNF productions defined
in section 1.2 of this document as well the productions defined in
section 3.1.3.2:
user = keyname
user-host = user ATSIGN host
user-host-domain = user ATSIGN host-domain
user-all-domain = user ATSIGN all-domain
netgroupUser = user / user-host
netgroupUser =/ user-host-domain / user-all-domain
A DUA SHALL convert host name and domain name components to lower
case characters prior to forming a netgroupUser attribute or filter
containing one. This is explained further in section 6.2 of this
document.
3.1.3.4. netgroupTriple
For backwards compatibility with RFC2307 client software, DBIS also
permits netgroup membership to be expressed in the form of netgroup
triples (see section 6.1) by providing one or more netgroupTriple
Bannister, Mark R. Expires January 25, 2016 [Page 7]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
attributes that MAY be assigned to a netgroupObject entry:
attributetype ( 1.3.6.1.4.1.23780.219.2.37 NAME 'netgroupTriple'
DESC 'Case exact netgroup triple'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
A DUA SHALL convert host name and domain name components to lower
case characters prior to forming a netgroupTriple attribute or filter
containing one. This is explained further in section 6.2 of this
document.
3.1.3.5. exactNetgroup
Members of other netgroups may be inherited by this netgroup by
providing additional netgroup names to inherit in one or more
exactNetgroup attributes that MAY be assigned to a netgroupObject
entry:
attributetype ( 1.3.6.1.4.1.23780.219.2.10 NAME 'exactNetgroup'
DESC 'Case exact netgroup name associated with this entry'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
The DUA SHALL validate that a netgroup referenced by this attribute
exists and is enabled. If the netgroup is not defined, or if it has
been disabled with the disableObject attribute, then it SHALL NOT be
included in the response to the client.
3.1.3.6. description
The description attribute MAY be associated with a netgroupObject
entry to provide an arbitrary description of the entry.
3.1.3.7. manager
The manager attribute MAY be associated with a netgroupObject entry
to provide one or more DNs of the individuals, groups or systems that
are responsible for maintaining the entry.
3.1.3.8. disableObject
A netgroup entry MAY be disabled by setting the disableObject
attribute [draft-bannister-dbis-mapping-00] to TRUE. If an entry is
disabled, then the DUA SHALL behave as if the netgroup does not
exist. The DUA MAY optionally provide a separate mechanism for
Bannister, Mark R. Expires January 25, 2016 [Page 8]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
listing disabled entries, but they MUST be clearly marked as disabled
so that no confusion can arise.
3.1.4. Example Netgroup Entry
The following is an example of a netgroupObject entry in LDIF format
[RFC2849]:
dn: en=sales-mgmt,ou=netgroup,ou=sales,o=infra
objectClass: top
objectClass: netgroupObject
en: sales-mgmt
netgroupHost: picard.sales.corp
netgroupHost: *.fleet.sales.corp
netgroupUser: mark@riker.sales.corp
netgroupUser: julie@*.market.sales.corp
exactNetgroup: board-mgmt
exactNetgroup: board-mgmt-remote
description: Sales Management Privileges
3.1.5. Determining Host Membership
A DUA SHOULD perform a reverse DNS lookup of a host's primary IP
address in order to determine the fully-qualified domain name to be
used for netgroup matching. A host MUST meet one of the following
conditions to be considered a member of a netgroup:
a) Unqualified host name converted to lowercase matches netgroupHost
attribute exactly. In this scenario the netgroupHost attribute is
also unqualified.
b) Fully-qualified host name converted to lowercase matches
netgroupHost attribute exactly.
c) The netgroupHost attribute uses the all-domain pattern, and the
fully-qualified domain name converted to lowercase matches this
attribute when the ASTERISK DOT prefix is removed.
3.1.6. Determining User Membership
A user MUST meet one of the following conditions to be considered a
member of a netgroup:
a) The netgroupUser attribute contains no ATSIGN and the user name
matches the netgroupUser attribute exactly.
b) The user name matches the user component of the netgroupUser
attribute exactly, and the unqualified host name of the DUA which
Bannister, Mark R. Expires January 25, 2016 [Page 9]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
is obtained as described in section 3.1.5 and converted to
lowercase matches the host component of the netgroupUser attribute
exactly.
c) The user name matches the user component of the netgroupUser
attribute exactly, and the fully-qualified host name of the DUA
which is obtained as described in section 3.1.5 and converted to
lowercase matches the host-domain component of the netgroupUser
attribute exactly.
d) The user name matches the user component of the netgroupUser
attribute exactly, the netgroupUser attribute uses the all-domain
pattern and the fully-qualified domain name of the DUA which is
obtained as described in section 3.1.5 and converted to lowercase
matches this attribute when the ASTERISK DOT prefix is removed.
3.2. netservice
3.2.1. Definition
A netservice database maps netgroups to services and privileges.
Netservices may be used to determine what applications should run on
a host, how they should be configured, and what actions users can or
cannot perform.
The string representation of the fully-qualified netservice name
SHALL match the following grammar, which uses the common ABNF
productions defined in section 1.2 of this document:
service-name = keyname
service-descriptor = keyname *(SLASH keyname)
en = service-name COLON service-descriptor
The service-name component identifies the service, while the service-
descriptor is a path delimited by forward slashes that identifies a
sub-component or subsystem within the service. An application is free
to interpret the name of a netservice in whichever way it suits,
although it is suggested that a netservice identifies either a
privilege or a configuration that can be applied at the host-level or
user-level.
The service-name is represented in LDAP by an entry with the
netserviceObject class. Each slash-delimited component of the
service-descriptor are child objects in LDAP with the
netserviceDescriptor class.
3.2.2. Object Classes
Bannister, Mark R. Expires January 25, 2016 [Page 10]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
3.2.2.1. Introduction
A dbisMapConfig entry for a netservice database SHALL be assigned the
object class dbisNetserviceConfig.
A netservice SHALL be defined by an LDAP entry with the object class
netserviceObject.
3.2.2.2. dbisNetserviceConfig
The dbisNetserviceConfig class is defined as follows:
objectclass ( 1.3.6.1.4.1.23780.219.1.5
NAME 'dbisNetserviceConfig'
DESC 'DBIS netservice configuration map'
SUP dbisMapConfig STRUCTURAL )
3.2.2.3. netserviceObject
The netserviceObject class SHALL be assigned to the entry that
represents the service-name and is defined as follows:
objectclass ( 1.3.6.1.4.1.23780.219.1.6 NAME 'netserviceObject'
DESC 'DBIS netservice top-level entry'
SUP netserviceDescriptor STRUCTURAL
MUST en
MAY ( description $ manager $ disableObject ) )
3.2.2.4. netserviceDescriptor
The netserviceDescriptor class SHALL be assigned to each entry that
represents service-descriptor components and is defined as follows:
objectclass ( 1.3.6.1.4.1.23780.219.1.7
NAME 'netserviceDescriptor'
DESC 'DBIS netservice descriptor entry'
SUP top STRUCTURAL
MUST en
MAY ( exactNetgroup $ exactNetservice $
description $ manager $ disableObject ) )
3.2.3. Attributes
3.2.3.1. en
The service-name of the netservice and each service-descriptor is
stored in LDAP attributes of type en which is defined in [draft-
bannister-dbis-mapping-00]. The en attribute MUST be associated with
Bannister, Mark R. Expires January 25, 2016 [Page 11]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
a netserviceObject and netserviceDescriptor entry, and SHALL form the
RDN of each.
If required, alias entries may be defined according to section 2.6 of
[RFC4512] and as permitted by section 1.2 of [draft-bannister-dbis-
mapping-00].
3.2.3.2. exactNetgroup
Users or hosts are granted a netservice if they are members of one or
more netgroups identified by exactNetgroup attributes that MAY be
assigned to a netserviceDescriptor entry. The exactNetgroup
attribute is defined in section 3.1.3.5 of this document.
The DUA SHALL validate that a netgroup referenced by this attribute
exists and is enabled. If the netgroup is not defined, or if it has
been disabled with the disableObject attribute, then it SHALL NOT be
considered when determining netservice grants.
3.2.3.3. exactNetservice
Grants from other netservices may be inherited by using one or more
exactNetservice attributes that MAY be assigned to a
netserviceDescriptor entry:
attributetype ( 1.3.6.1.4.1.23780.219.2.11 NAME 'exactNetservice'
DESC 'Case exact netservice name associated with this entry'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
Each netservice identified by the exactNetservice attribute SHALL be
a fully-qualified netservice name as defined in section 3.2.1 of this
document.
The DUA SHALL validate that a netservice referenced by this attribute
exists and is enabled. If the netservice is not defined, or if it
has been disabled with the disableObject attribute, then it SHALL NOT
be considered when determining netservice grants.
If the netservice is defined, then the same users or hosts that are
granted that netservice will be granted this one too.
3.2.3.4. description
The description attribute MAY be associated with a netserviceObject
or netserviceDescriptor entry to provide an arbitrary description of
the entry.
Bannister, Mark R. Expires January 25, 2016 [Page 12]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
3.2.3.5. manager
The manager attribute MAY be associated with a netserviceObject or
netserviceDescriptor entry to provide one or more DNs of the
individuals, groups or systems that are responsible for maintaining
the entry.
3.2.3.6. disableObject
A netservice entry MAY be disabled by setting the disableObject
attribute to TRUE. If an entry is disabled, then the DUA SHALL
behave as if the netservice does not exist. The DUA MAY optionally
provide a separate mechanism for listing disabled entries, but they
MUST be clearly marked as disabled so that no confusion can arise.
The disableObject attribute may be set on either the netserviceObject
or netserviceDescriptor entry. If set on the netserviceObject entry
then the DUA SHALL treat all netserviceDescriptor entries underneath
as disabled too.
3.2.4. Example Netservice Entries
The following are example netservice entries in LDIF format
[RFC2849]:
dn: en=ssh,ou=netservice,o=infra
objectClass: top
objectClass: netserviceDescriptor
objectClass: netserviceObject
en: ssh
description: Secure Shell Service
dn: en=login,en=ssh,ou=netservice,o=infra
objectClass: top
objectClass: netserviceDescriptor
en: login
exactNetgroup: all-hosts
exactNetservice: ftp:login
exactNetservice: web:login/anonymous
dn: en=ftp,ou=netservice,o=infra
objectClass: top
objectClass: netserviceDescriptor
objectClass: netserviceObject
en: ftp
description: FTP Service
dn: en=login,en=ftp,ou=netservice,o=infra
Bannister, Mark R. Expires January 25, 2016 [Page 13]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
objectClass: top
objectClass: netserviceDescriptor
en: login
dn: en=web,ou=netservice,o=infra
objectClass: top
objectClass: netserviceDescriptor
objectClass: netserviceObject
en: web
description: Web Service
dn: en=login,en=web,ou=netservice,o=infra
objectClass: top
objectClass: netserviceDescriptor
en: login
dn: en=anonymous,en=login,en=web,ou=netservice,o=infra
objectClass: top
objectClass: netserviceDescriptor
en: anonymous
These example entries define a netservice called ssh:login that will
be granted to members of the all-hosts netgroup. If this netservice
is granted, the ftp:login and web:login/anonymous netservices, also
defined above, will be granted automatically.
4. Common Attributes
4.1. Scope
Additional attributes that are either used within this document or
required by other documents using DBIS netgroups are defined or
referenced below.
4.2. notNetgroup
One or more netgroup names that are to be excluded from a particular
configuration entry are provided in notNetgroup attributes:
attributetype ( 1.3.6.1.4.1.23780.219.2.12 NAME 'notNetgroup'
DESC 'Case exact netgroup name NOT to be associated
with this entry'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
The DUA SHALL validate that a netgroup referenced by this attribute
exists and is enabled. If the netgroup is not defined, or if it has
Bannister, Mark R. Expires January 25, 2016 [Page 14]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
been disabled with the disableObject attribute, then it SHALL NOT be
included in the response to the client.
5. Attribute Syntax
The following syntaxes are used by the attributes defined in this
document:
-----------------------------------------------------------
Syntax OID Value Reference
-----------------------------------------------------------
1.3.6.1.4.1.1466.115.121.1.15 Directory String [RFC4517]
1.3.6.1.4.1.1466.115.121.1.26 IA5 String [RFC4517]
-----------------------------------------------------------
6. Implementation Notes
6.1. NIS Netgroups
DBIS netgroups differ in their definition from NIS netgroups and from
netgroups defined in RFC2307, which use triples of the format:
(host,user,domain)
where "host" is the canonical host name of the client system
requesting a service, "user" is the user name requesting a service,
and "domain" is the domain name of the service being requested. If
the host, user or domain field is blank then the NIS netgroup applies
to any client host, user or domain respectively.
The most common use of NIS netgroups is for defining groups of hosts
and users while the domain component is typically left blank.
DBIS separates the triple into two separate attributes, netgroupHost
and netgroupUser, and also redefines the domain component to be used
to represent all hosts in a given domain. A set of mapping rules may
be used for converting between the DBIS netgroup string
representation described in sections 3.1.3.2 and 3.1.3.3 and a list
of NIS netgroup triples. In the following grammar, the rule
beginning t- is selected based on the information supplied in the
netgroupHost or netgroupUser attribute. By removing the leading t-
one can deduce the name of the matching rule from 3.1.3.2 or 3.1.3.3:
t-host = LPAREN host COMMA COMMA RPAREN
t-host-domain = LPAREN host-domain COMMA COMMA RPAREN
t-all-domain = LPAREN COMMA COMMA domain RPAREN
t-user = LPAREN COMMA user COMMA RPAREN
t-user-host = LPAREN host COMMA user COMMA RPAREN
Bannister, Mark R. Expires January 25, 2016 [Page 15]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
t-user-host-domain = LPAREN host-domain COMMA user COMMA RPAREN
t-user-all-domain = LPAREN COMMA user COMMA domain RPAREN
triple-any = t-host / t-host-domain / t-all-domain
triple-any =/ t-user / t-user-host / t-user-host-domain
triple-any =/ t-user-all-domain
triples = t-any *(SPACE t-any)
6.2. Forming netgroupHost or netgroupUser Entries
Netgroup membership SHALL be expressed in terms of canonical names
only. Host names SHALL therefore be alias de-referenced before used
in a netgroupHost attribute or netgroup filter.
As the user name component of the netgroupUser attribute is case
sensitive while the other components are not, a DUA SHALL convert
host name and domain name components to lower case characters prior
to forming a netgroupHost or netgroupUser attribute or filter
containing one. This is to ensure that the exact case match
performed on these attributes will not fail on host name or domain
name due to a case mismatch.
6.3. Common Search Filters
6.3.1. Search Parameters
This section provides example LDAP search filters [RFC4515] for
obtaining database entries with commonly used input criteria.
To simplify the examples, all databases are assumed to have been
defined with only a single configuration map entry (dbisMapConfig).
However, [draft-bannister-dbis-mapping-00] permits multiple such
entries, so an implementation must support this, increasing the
number of search operations as necessary to locate all of the
database entries in scope.
This document does not consider how to incorporate passwd or hosts
database entries that use the exactNetgroup attribute as an
alternative means of specifying netgroup membership. For example
search filters using the passwd or hosts databases, see [draft-
bannister-dbis-passwd-00] and [draft-bannister-dbis-hosts-00]
respectively.
The base DN used in the search operations described in this section
comes from the dbisMapDN attribute assigned to the dbisMapConfig
entry. Note that a dbisMapConfig entry may have more than one of
these.
Bannister, Mark R. Expires January 25, 2016 [Page 16]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
Where it appears in search filters below, the text "dbisMapFilter"
refers to the value assigned to the attribute of the same name in the
corresponding dbisMapConfig entry. Note that netgroup and netservice
databases have different dbisMapConfig entries. Class and attribute
names used in these search filters may be modified by the
dbisMapClass and dbisMapAttr attribute assigned to the dbisMapConfig
entry.
In all filters below, fully-qualified DNS domain names are to be
obtained as described in section 3.1.5.
6.3.2. Find Configuration Map for Domain
To locate the configuration map for a given DBIS domain, search for
entries underneath the dbisDomainObject entry [draft-bannister-dbis-
mapping-00].
Netgroup maps can be found with the following search filter:
(&(objectClass=dbisNetgroupConfig)(!(disableObject=TRUE)))
Netservice maps can be found with:
(&(objectClass=dbisNetserviceConfig)(!(disableObject=TRUE)))
6.3.3. List All Entries
Netgroups and netservices are enumerated by applying the
dbisMapFilter as follows:
(&(dbisMapFilter)(!(disableObject=TRUE)))
This filter returns all enabled entries.
6.3.4. Find Specific Netgroup or Netservice
If a netgroup or netservice is known by "name", its definition is
located using the following search filter:
(&(dbisMapFilter)(!(disableObject=TRUE))(en=name))
If this is a netservice and the entry returned is a
netserviceDescriptor and not a netserviceObject, then an additional
test SHALL be performed for the disableObject attribute on the parent
netserviceObject to determine whether this netservice is disabled, as
defined in section 3.2.3.6.
When searching for specific netservices by name, this filter may
Bannister, Mark R. Expires January 25, 2016 [Page 17]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
return more than one result, as namespace uniqueness is determined by
the path and not by the name of a single LDAP entry.
6.3.5. Find Netgroups By Membership
To obtain a list of all netgroups that a user with the login name
"user", who is logged into a system named "host" with the fully-
qualified DNS domain name "domain" is a member of, the following
search filter may be used:
(&(dbisMapFilter)(!(disableObject=TRUE))(|
(netgroupUser=user)
(netgroupUser=user@host.domain)
(netgroupUser=user@\2a.domain)
))
To obtain a list of all netgroups that a system named "host" with the
fully-qualified DNS domain name "domain" is a member of, the
following search filter may be used:
(&(dbisMapFilter)(!(disableObject=TRUE))(|
(netgroupHost=host)
(netgroupHost=host.domain)
(netgroupHost=\2a.domain)
))
If the user or host is not an explicit member of the netgroup,
implicit membership needs to be determined by recursively examining
each exactNetgroup attribute in the result set as the netgroup may
inherit members from other netgroups. An example search filter for
achieving this is in section 6.3.6. To prevent infinite loops, a DUA
SHALL NOT test any netgroup more than once during a single membership
operation.
6.3.6. Member of a Specific Netgroup
To determine if a user with the login name "user", who is logged into
a system named "host" with the fully-qualified DNS domain name
"domain" is a member of a specific netgroup called "name", the
following search filter may be used:
(&(dbisMapFilter)(!(disableObject=TRUE))(en=name)(|
(netgroupUser=user)
(netgroupUser=user@host.domain)
(netgroupUser=user@\2a.domain)
))
To determine if a system named "host" with the fully-qualified DNS
Bannister, Mark R. Expires January 25, 2016 [Page 18]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
domain name "domain" is a member of a specific netgroup called
"name", the following search filter may be used:
(&(dbisMapFilter)(!(disableObject=TRUE))(en=name)(|
(netgroupHost=host)
(netgroupHost=host.domain)
(netgroupHost=\2a.domain)
))
If the user or host is not an explicit member of the netgroup,
implicit membership needs to be determined by recursively examining
each exactNetgroup attribute in the result set. This can be achieved
by repeating the above search filters on successive netgroups. A DUA
SHALL NOT test any netgroup more than once during a single membership
operation.
6.3.7. Which Netgroups are Enabled?
Sometimes it is necessary to determine from a list of netgroups which
ones are enabled. This can be performed using one search operation.
In this example the netgroups being tested are called "netgr1",
"netgr2" and "netgr3":
To determine if a system named "host" with the fully-qualified DNS
domain name "domain" is a member of a specific netgroup called
"name", the following search filter may be used:
(&(dbisMapFilter)(!(disableObject=TRUE))
(|(en=netgr1)(en=netgr2)(en=netgr3)))
6.3.8. Find Netservices By Membership
To obtain a list of all netservices that are assigned to the netgroup
called "netgroup", the following search filter may be used:
(&(dbisMapFilter)(!(disableObject=TRUE))
(exactNetgroup=netgroup))
The netservice name may then be derived from the DNs of the returned
entries. For example "en=anonymous,en=login,en=web,dbisMapDN"
represents the netservice web:login/anonymous.
Each entry returned may list additional netservices to be assigned by
use of the exactNetservice attribute.
If any netservice entry found is a netserviceDescriptor and not a
netserviceObject, then an additional test SHALL be performed for the
disableObject attribute on the parent netserviceObject to determine
Bannister, Mark R. Expires January 25, 2016 [Page 19]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
whether this netservice is disabled, as defined in section 3.2.3.6.
6.3.9. Member of a Specific Netservice
To determine if a netgroup has been assigned a specific netservice,
the netservice name must be split into a path name consisting of
'en=...,en=...' so that a specific entry with the object class
netserviceDescriptor can be looked up underneath dbisMapDN. If this
entry has an exactNetgroup attribute matching the desired member
name, then a match has been found.
For example, the netservice web:login/anonymous would become the path
'en=anonymous,en=login,en=web' underneath dbisMapDN. The
netserviceDescriptor matching this DN contains the definition of the
given netservice. The exactNetgroup attribute associated with this
entry contains the list of netgroups assigned the web:login/anonymous
netservice.
Additionally, the following search filter can be used to locate
netservices that include one called "netservice" in their definition
and which are assigned to a netgroup called "netgroup":
(&(dbisMapFilter)(!(disableObject=TRUE))
(exactNetservice=netservice)
(exactNetgroup=netgroup))
If any entry is returned by a search with this filter then a match
has been found.
7. Security Considerations
The security considerations discussed in [draft-bannister-dbis-
mapping-00] apply equally to this document.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2849] Good, G., "The LDAP Data Interchange Format (LDIF) -
Technical Specification", RFC 2849, June 2000.
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
(LDAP): Technical Specification Road Map", RFC 4510, June
2006.
Bannister, Mark R. Expires January 25, 2016 [Page 20]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
[RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
(LDAP): Directory Information Models", RFC 4512, June
2006.
[RFC4515] Smith, M., Ed., and T. Howes, "Lightweight Directory
Access Protocol (LDAP): String Representation of Search
Filters", RFC 4515, June 2006.
[RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
(LDAP): Syntaxes and Matching Rules", RFC 4517, June 2006.
[RFC4519] Sciberras, A., Ed., "Lightweight Directory Access Protocol
(LDAP): Schema for User Applications", RFC 4519, June
2006.
[RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for
Syntax Specifications: ABNF", STD 68, RFC 5234, January
2008.
[draft-bannister-dbis-mapping-00] Bannister, M. R., "Directory-Based
Information Services: Mapping Objects", draft-bannister-
dbis-mapping-00.txt, August 2013.
[draft-bannister-dbis-passwd-00] Bannister, M. R., "Directory-Based
Information Services: Users and Groups", draft-bannister-
dbis-passwd-00.txt, August 2013.
[draft-bannister-dbis-hosts-00] Bannister, M. R., "Directory-Based
Information Services: Hosts, Networks and Devices", draft-
bannister-dbis-hosts-00.txt, August 2013.
8.2. Informative References
[X.500] Weider, C. and J. Reynolds, "Executive Introduction to
Directory Services Using the X.500 Protocol", FYI 13, RFC
1308, March 1992.
[NIS] Wikipedia, "Network Information Service", <http://
en.wikipedia.org/wiki/Network_Information_Service>.
Author's Address
Mark R. Bannister
Prose Consulting Ltd.
73 Claygate Lane
Esher, Surrey, KT10 0BQ
United Kingdom
Bannister, Mark R. Expires January 25, 2016 [Page 21]
�
Internet Draft DBIS Netgroups and Netservices July 24, 2015
Tel: +44 7764 604316
EMail: dbis@proseconsulting.co.uk
Bannister, Mark R. Expires January 25, 2016 [Page 22]
