Internet Draft M. R. Bannister Prose Consulting Ltd. Category: Informational March 23, 2015 Expires September 24, 2015 Directory-Based Information Services: Netgroups and Netservices Status of this Memo Distribution of this memo is unlimited. This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 24, 2015. Comments are solicited and should be addressed to the author. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Bannister, Mark R. Expires September 24, 2015 [Page 1] Internet Draft DBIS Netgroups and Netservices March 23, 2015 Abstract This document extends Directory-Based Information Services (DBIS) described in [draft-bannister-dbis-mapping-00] to support netgroup and netservice databases. A netgroup database schema SHALL be backwards compatible with the Network Information Service [NIS] but stored within [X.500] entries so that they may be resolved with the Lightweight Directory Access Protocol [RFC4510]. A netgroup database represents groups of hosts, users and domains. A netservice database schema is a new extension to netgroups that allows administrators to describe services or configuration options for a user or system based upon their netgroup membership. This document describes configuration maps [draft-bannister-dbis- mapping-00] for netgroup and netservice databases, and database entries referenced by those maps. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED" and "MAY" in this document are to be interpreted as described in [RFC2119]. Table of Contents 1. Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Domains . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Common ABNF Productions . . . . . . . . . . . . . . . . . . 4 2. Configuration Maps . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Example Configuration Map Entries . . . . . . . . . . . . . 4 3. Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. netgroup . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.1. Definition . . . . . . . . . . . . . . . . . . . . . . 5 3.1.2. Object Classes . . . . . . . . . . . . . . . . . . . . 5 3.1.2.1. Introduction . . . . . . . . . . . . . . . . . . . 5 3.1.2.2. dbisNetgroupConfig . . . . . . . . . . . . . . . . 6 3.1.2.3. netgroupObject . . . . . . . . . . . . . . . . . . 6 3.1.3. Attributes . . . . . . . . . . . . . . . . . . . . . . 6 3.1.3.1. en . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1.3.2. netgroupHost . . . . . . . . . . . . . . . . . . . 6 3.1.3.3. netgroupUser . . . . . . . . . . . . . . . . . . . 7 3.1.3.4. netgroupTriple . . . . . . . . . . . . . . . . . . 7 3.1.3.5. exactNetgroup . . . . . . . . . . . . . . . . . . . 8 3.1.3.6. description . . . . . . . . . . . . . . . . . . . . 8 3.1.3.7. manager . . . . . . . . . . . . . . . . . . . . . . 8 3.1.3.8. disableObject . . . . . . . . . . . . . . . . . . . 8 Bannister, Mark R. Expires September 24, 2015 [Page 2] Internet Draft DBIS Netgroups and Netservices March 23, 2015 3.1.4. Example Netgroup Entry . . . . . . . . . . . . . . . . 9 3.1.5. Determining Host Membership . . . . . . . . . . . . . . 9 3.1.6. Determining User Membership . . . . . . . . . . . . . . 9 3.2. netservice . . . . . . . . . . . . . . . . . . . . . . . . 10 3.2.1. Definition . . . . . . . . . . . . . . . . . . . . . . 10 3.2.2. Object Classes . . . . . . . . . . . . . . . . . . . . 10 3.2.2.1. Introduction . . . . . . . . . . . . . . . . . . . 11 3.2.2.2. dbisNetserviceConfig . . . . . . . . . . . . . . . 11 3.2.2.3. netserviceObject . . . . . . . . . . . . . . . . . 11 3.2.2.4. netserviceDescriptor . . . . . . . . . . . . . . . 11 3.2.3. Attributes . . . . . . . . . . . . . . . . . . . . . . 11 3.2.3.1. en . . . . . . . . . . . . . . . . . . . . . . . . 11 3.2.3.2. exactNetgroup . . . . . . . . . . . . . . . . . . . 12 3.2.3.3. exactNetservice . . . . . . . . . . . . . . . . . . 12 3.2.3.4. description . . . . . . . . . . . . . . . . . . . . 12 3.2.3.5. manager . . . . . . . . . . . . . . . . . . . . . . 13 3.2.3.6. disableObject . . . . . . . . . . . . . . . . . . . 13 3.2.4. Example Netservice Entries . . . . . . . . . . . . . . 13 4. Common Attributes . . . . . . . . . . . . . . . . . . . . . . . 14 4.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.2. notNetgroup . . . . . . . . . . . . . . . . . . . . . . . . 14 5. Attribute Syntax . . . . . . . . . . . . . . . . . . . . . . . 15 6. Implementation Notes . . . . . . . . . . . . . . . . . . . . . 15 6.1. NIS Netgroups . . . . . . . . . . . . . . . . . . . . . . . 15 6.2. Forming netgroupHost or netgroupUser Entries . . . . . . . 16 6.3. Common Search Filters . . . . . . . . . . . . . . . . . . . 16 6.3.1. Search Parameters . . . . . . . . . . . . . . . . . . . 16 6.3.2. Find Configuration Map for Domain . . . . . . . . . . . 17 6.3.3. List All Entries . . . . . . . . . . . . . . . . . . . 17 6.3.4. Find Specific Netgroup or Netservice . . . . . . . . . 17 6.3.5. Find Netgroups By Membership . . . . . . . . . . . . . 18 6.3.6. Member of a Specific Netgroup . . . . . . . . . . . . . 18 6.3.7. Which Netgroups are Enabled? . . . . . . . . . . . . . 19 6.3.8. Find Netservices By Membership . . . . . . . . . . . . 19 6.3.9. Member of a Specific Netservice . . . . . . . . . . . . 20 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 20 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 8.1. Normative References . . . . . . . . . . . . . . . . . . . 20 8.2. Informative References . . . . . . . . . . . . . . . . . . 21 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 21 1. Concepts 1.1. Domains The term "domain" used within this document does not refer to DBIS domains [draft-bannister-dbis-mapping-00] but rather to DNS domains [RFC1034]. Bannister, Mark R. Expires September 24, 2015 [Page 3] Internet Draft DBIS Netgroups and Netservices March 23, 2015 1.2. Common ABNF Productions A number of attributes in this document are described using ABNF notation defined in [RFC5234]. These attributes rely on the productions defined below as well as those defined in section 1.4 of [RFC4512]: ALPHA-LOW = %x61-7A ; lowercase "a"-"z" ASTERISK = %x2A ; asterisk "*" ATSIGN = %x40 ; at sign "@" COLON = %x3A ; colon ":" SLASH = %x2F ; forward slash "/" non-alpha = DIGIT / HYPHEN / USCORE keyname = 1*(ALPHA / non-alpha) keyname-low = 1*(ALPHA-LOW / non-alpha) 2. Configuration Maps 2.1. Scope All databases described in this document use the standard configuration maps defined in [draft-bannister-dbis-mapping-00], section 3. Additionally, dbisMapConfig entries for netgroup and netservice databases SHALL have assigned the object classes dbisNetgroupConfig and dbisNetserviceConfig respectively. It is RECOMMENDED that the dbisMapConfig entry for a netgroup or netservice database have the dbisMapFilter attribute set according to the following table: --------------------------------------------------- Database dbisMapFilter --------------------------------------------------- netgroup objectClass=netgroupObject netservice objectClass=netserviceDescriptor --------------------------------------------------- 2.2. Example Configuration Map Entries The following gives an example of a configuration map entry for a netgroup database: dn: cn=netgroup,en=sales.corp,ou=domain-mappings,o=infra objectClass: top objectClass: dbisMapConfig Bannister, Mark R. Expires September 24, 2015 [Page 4] Internet Draft DBIS Netgroups and Netservices March 23, 2015 objectClass: dbisNetgroupConfig cn: netgroup dbisMapDN: cn=netgroup,ou=dbis,o=infra dbisMapFilter: objectClass=netgroupObject profileTTL: 900 description: Primary netgroup database The following gives an example of a configuration map entry for a netservice database: dn: cn=netservice,en=sales.corp,ou=domain-mappings, o=infra objectClass: top objectClass: dbisMapConfig objectClass: dbisNetserviceConfig cn: netservice dbisMapDN: cn=netservice,ou=dbis,o=infra dbisMapFilter: objectClass=netserviceDescriptor profileTTL: 900 description: Primary netservice database 3. Database 3.1. netgroup 3.1.1. Definition A netgroup database contains entries that represent hosts, users and domains and which are associated with a case sensitive netgroup name. DBIS netgroups allow groups of users and hosts to be defined with the following scope variance: - All users on all hosts in a given domain. - All users on specific hosts. - Named users regardless of host. - Named users on all hosts in a given domain. - Named users on specific hosts. 3.1.2. Object Classes 3.1.2.1. Introduction A dbisMapConfig entry for a netgroup database SHALL be assigned the Bannister, Mark R. Expires September 24, 2015 [Page 5] Internet Draft DBIS Netgroups and Netservices March 23, 2015 object class dbisNetgroupConfig. A netgroup SHALL be defined by an LDAP entry with the object class netgroupObject. 3.1.2.2. dbisNetgroupConfig The dbisNetgroupConfig class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.3 NAME 'dbisNetgroupConfig' DESC 'DBIS netgroup configuration map' SUP dbisMapConfig STRUCTURAL ) 3.1.2.3. netgroupObject The netgroupObject class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.4 NAME 'netgroupObject' DESC 'DBIS netgroup entry' SUP top STRUCTURAL MUST en MAY ( netgroupHost $ netgroupUser $ netgroupTriple $ exactNetgroup $ description $ manager $ disableObject ) ) 3.1.3. Attributes 3.1.3.1. en The name of the netgroup is stored in the LDAP attribute en which is defined in [draft-bannister-dbis-mapping-00]. The en attribute MUST be associated with a netgroupObject entry and SHALL form the RDN. If required, alias entries may be defined according to section 2.6 of [RFC4512] and as permitted by section 1.2 of [draft-bannister-dbis- mapping-00]. 3.1.3.2. netgroupHost A host that is a member of a netgroup is stored in the netgroupHost attribute that MAY be assigned to a netgroupObject entry: attributetype ( 1.3.6.1.4.1.23780.219.2.8 NAME 'netgroupHost' DESC 'Host or domain that is assigned to a netgroup' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) The string representation of the netgroupHost attribute SHALL match the following grammar, which uses the common ABNF productions defined Bannister, Mark R. Expires September 24, 2015 [Page 6] Internet Draft DBIS Netgroups and Netservices March 23, 2015 in section 1.2 of this document: host = keyname-low domain = keyname-low *(DOT keyname-low) host-domain = host DOT domain all-domain = ASTERISK DOT domain netgroupHost = host / host-domain / all-domain A DUA SHALL de-reference any aliases and convert host name and domain name components to lower case characters prior to forming a netgroupHost attribute or filter containing one. This is explained further in section 6.2 of this document. 3.1.3.3. netgroupUser A user who is a member of a netgroup is stored in the netgroupUser attribute that MAY be assigned to a netgroupObject entry: attributetype ( 1.3.6.1.4.1.23780.219.2.9 NAME 'netgroupUser' DESC 'User who is assigned to a netgroup' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) The string representation of the netgroupUser attribute SHALL match the following grammar, which uses the common ABNF productions defined in section 1.2 of this document as well the productions defined in section 3.1.3.2: user = keyname user-host = user ATSIGN host user-host-domain = user ATSIGN host-domain user-all-domain = user ATSIGN all-domain netgroupUser = user / user-host netgroupUser =/ user-host-domain / user-all-domain A DUA SHALL convert host name and domain name components to lower case characters prior to forming a netgroupUser attribute or filter containing one. This is explained further in section 6.2 of this document. 3.1.3.4. netgroupTriple For backwards compatibility with RFC2307 client software, DBIS also permits netgroup membership to be expressed in the form of netgroup triples (see section 6.1) by providing one or more netgroupTriple Bannister, Mark R. Expires September 24, 2015 [Page 7] Internet Draft DBIS Netgroups and Netservices March 23, 2015 attributes that MAY be assigned to a netgroupObject entry: attributetype ( 1.3.6.1.4.1.23780.219.2.37 NAME 'netgroupTriple' DESC 'Case exact netgroup triple' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) A DUA SHALL convert host name and domain name components to lower case characters prior to forming a netgroupTriple attribute or filter containing one. This is explained further in section 6.2 of this document. 3.1.3.5. exactNetgroup Members of other netgroups may be inherited by this netgroup by providing additional netgroup names to inherit in one or more exactNetgroup attributes that MAY be assigned to a netgroupObject entry: attributetype ( 1.3.6.1.4.1.23780.219.2.10 NAME 'exactNetgroup' DESC 'Case exact netgroup name associated with this entry' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) The DUA SHALL validate that a netgroup referenced by this attribute exists and is enabled. If the netgroup is not defined, or if it has been disabled with the disableObject attribute, then it SHALL NOT be included in the response to the client. 3.1.3.6. description The description attribute MAY be associated with a netgroupObject entry to provide an arbitrary description of the entry. 3.1.3.7. manager The manager attribute MAY be associated with a netgroupObject entry to provide one or more DNs of the individuals, groups or systems that are responsible for maintaining the entry. 3.1.3.8. disableObject A netgroup entry MAY be disabled by setting the disableObject attribute [draft-bannister-dbis-mapping-00] to TRUE. If an entry is disabled, then the DUA SHALL behave as if the netgroup does not exist. The DUA MAY optionally provide a separate mechanism for Bannister, Mark R. Expires September 24, 2015 [Page 8] Internet Draft DBIS Netgroups and Netservices March 23, 2015 listing disabled entries, but they MUST be clearly marked as disabled so that no confusion can arise. 3.1.4. Example Netgroup Entry The following is an example of a netgroupObject entry in LDIF format [RFC2849]: dn: en=sales-mgmt,ou=netgroup,ou=sales,o=infra objectClass: top objectClass: netgroupObject en: sales-mgmt netgroupHost: picard.sales.corp netgroupHost: *.fleet.sales.corp netgroupUser: mark@riker.sales.corp netgroupUser: julie@*.market.sales.corp exactNetgroup: board-mgmt exactNetgroup: board-mgmt-remote description: Sales Management Privileges 3.1.5. Determining Host Membership A DUA SHOULD perform a reverse DNS lookup of a host's primary IP address in order to determine the fully-qualified domain name to be used for netgroup matching. A host MUST meet one of the following conditions to be considered a member of a netgroup: a) Unqualified host name converted to lowercase matches netgroupHost attribute exactly. In this scenario the netgroupHost attribute is also unqualified. b) Fully-qualified host name converted to lowercase matches netgroupHost attribute exactly. c) The netgroupHost attribute uses the all-domain pattern, and the fully-qualified domain name converted to lowercase matches this attribute when the ASTERISK DOT prefix is removed. 3.1.6. Determining User Membership A user MUST meet one of the following conditions to be considered a member of a netgroup: a) The netgroupUser attribute contains no ATSIGN and the user name matches the netgroupUser attribute exactly. b) The user name matches the user component of the netgroupUser attribute exactly, and the unqualified host name of the DUA which Bannister, Mark R. Expires September 24, 2015 [Page 9] Internet Draft DBIS Netgroups and Netservices March 23, 2015 is obtained as described in section 3.1.5 and converted to lowercase matches the host component of the netgroupUser attribute exactly. c) The user name matches the user component of the netgroupUser attribute exactly, and the fully-qualified host name of the DUA which is obtained as described in section 3.1.5 and converted to lowercase matches the host-domain component of the netgroupUser attribute exactly. d) The user name matches the user component of the netgroupUser attribute exactly, the netgroupUser attribute uses the all-domain pattern and the fully-qualified domain name of the DUA which is obtained as described in section 3.1.5 and converted to lowercase matches this attribute when the ASTERISK DOT prefix is removed. 3.2. netservice 3.2.1. Definition A netservice database maps netgroups to services and privileges. Netservices may be used to determine what applications should run on a host, how they should be configured, and what actions users can or cannot perform. The string representation of the fully-qualified netservice name SHALL match the following grammar, which uses the common ABNF productions defined in section 1.2 of this document: service-name = keyname service-descriptor = keyname *(SLASH keyname) en = service-name COLON service-descriptor The service-name component identifies the service, while the service- descriptor is a path delimited by forward slashes that identifies a sub-component or subsystem within the service. An application is free to interpret the name of a netservice in whichever way it suits, although it is suggested that a netservice identifies either a privilege or a configuration that can be applied at the host-level or user-level. The service-name is represented in LDAP by an entry with the netserviceObject class. Each slash-delimited component of the service-descriptor are child objects in LDAP with the netserviceDescriptor class. 3.2.2. Object Classes Bannister, Mark R. Expires September 24, 2015 [Page 10] Internet Draft DBIS Netgroups and Netservices March 23, 2015 3.2.2.1. Introduction A dbisMapConfig entry for a netservice database SHALL be assigned the object class dbisNetserviceConfig. A netservice SHALL be defined by an LDAP entry with the object class netserviceObject. 3.2.2.2. dbisNetserviceConfig The dbisNetserviceConfig class is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.5 NAME 'dbisNetserviceConfig' DESC 'DBIS netservice configuration map' SUP dbisMapConfig STRUCTURAL ) 3.2.2.3. netserviceObject The netserviceObject class SHALL be assigned to the entry that represents the service-name and is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.6 NAME 'netserviceObject' DESC 'DBIS netservice top-level entry' SUP netserviceDescriptor STRUCTURAL MUST en MAY ( description $ manager $ disableObject ) ) 3.2.2.4. netserviceDescriptor The netserviceDescriptor class SHALL be assigned to each entry that represents service-descriptor components and is defined as follows: objectclass ( 1.3.6.1.4.1.23780.219.1.7 NAME 'netserviceDescriptor' DESC 'DBIS netservice descriptor entry' SUP top STRUCTURAL MUST en MAY ( exactNetgroup $ exactNetservice $ description $ manager $ disableObject ) ) 3.2.3. Attributes 3.2.3.1. en The service-name of the netservice and each service-descriptor is stored in LDAP attributes of type en which is defined in [draft- bannister-dbis-mapping-00]. The en attribute MUST be associated with Bannister, Mark R. Expires September 24, 2015 [Page 11] Internet Draft DBIS Netgroups and Netservices March 23, 2015 a netserviceObject and netserviceDescriptor entry, and SHALL form the RDN of each. If required, alias entries may be defined according to section 2.6 of [RFC4512] and as permitted by section 1.2 of [draft-bannister-dbis- mapping-00]. 3.2.3.2. exactNetgroup Users or hosts are granted a netservice if they are members of one or more netgroups identified by exactNetgroup attributes that MAY be assigned to a netserviceDescriptor entry. The exactNetgroup attribute is defined in section 3.1.3.5 of this document. The DUA SHALL validate that a netgroup referenced by this attribute exists and is enabled. If the netgroup is not defined, or if it has been disabled with the disableObject attribute, then it SHALL NOT be considered when determining netservice grants. 3.2.3.3. exactNetservice Grants from other netservices may be inherited by using one or more exactNetservice attributes that MAY be assigned to a netserviceDescriptor entry: attributetype ( 1.3.6.1.4.1.23780.219.2.11 NAME 'exactNetservice' DESC 'Case exact netservice name associated with this entry' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) Each netservice identified by the exactNetservice attribute SHALL be a fully-qualified netservice name as defined in section 3.2.1 of this document. The DUA SHALL validate that a netservice referenced by this attribute exists and is enabled. If the netservice is not defined, or if it has been disabled with the disableObject attribute, then it SHALL NOT be considered when determining netservice grants. If the netservice is defined, then the same users or hosts that are granted that netservice will be granted this one too. 3.2.3.4. description The description attribute MAY be associated with a netserviceObject or netserviceDescriptor entry to provide an arbitrary description of the entry. Bannister, Mark R. Expires September 24, 2015 [Page 12] Internet Draft DBIS Netgroups and Netservices March 23, 2015 3.2.3.5. manager The manager attribute MAY be associated with a netserviceObject or netserviceDescriptor entry to provide one or more DNs of the individuals, groups or systems that are responsible for maintaining the entry. 3.2.3.6. disableObject A netservice entry MAY be disabled by setting the disableObject attribute to TRUE. If an entry is disabled, then the DUA SHALL behave as if the netservice does not exist. The DUA MAY optionally provide a separate mechanism for listing disabled entries, but they MUST be clearly marked as disabled so that no confusion can arise. The disableObject attribute may be set on either the netserviceObject or netserviceDescriptor entry. If set on the netserviceObject entry then the DUA SHALL treat all netserviceDescriptor entries underneath as disabled too. 3.2.4. Example Netservice Entries The following are example netservice entries in LDIF format [RFC2849]: dn: en=ssh,ou=netservice,o=infra objectClass: top objectClass: netserviceDescriptor objectClass: netserviceObject en: ssh description: Secure Shell Service dn: en=login,en=ssh,ou=netservice,o=infra objectClass: top objectClass: netserviceDescriptor en: login exactNetgroup: all-hosts exactNetservice: ftp:login exactNetservice: web:login/anonymous dn: en=ftp,ou=netservice,o=infra objectClass: top objectClass: netserviceDescriptor objectClass: netserviceObject en: ftp description: FTP Service dn: en=login,en=ftp,ou=netservice,o=infra Bannister, Mark R. Expires September 24, 2015 [Page 13] Internet Draft DBIS Netgroups and Netservices March 23, 2015 objectClass: top objectClass: netserviceDescriptor en: login dn: en=web,ou=netservice,o=infra objectClass: top objectClass: netserviceDescriptor objectClass: netserviceObject en: web description: Web Service dn: en=login,en=web,ou=netservice,o=infra objectClass: top objectClass: netserviceDescriptor en: login dn: en=anonymous,en=login,en=web,ou=netservice,o=infra objectClass: top objectClass: netserviceDescriptor en: anonymous These example entries define a netservice called ssh:login that will be granted to members of the all-hosts netgroup. If this netservice is granted, the ftp:login and web:login/anonymous netservices, also defined above, will be granted automatically. 4. Common Attributes 4.1. Scope Additional attributes that are either used within this document or required by other documents using DBIS netgroups are defined or referenced below. 4.2. notNetgroup One or more netgroup names that are to be excluded from a particular configuration entry are provided in notNetgroup attributes: attributetype ( 1.3.6.1.4.1.23780.219.2.12 NAME 'notNetgroup' DESC 'Case exact netgroup name NOT to be associated with this entry' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) The DUA SHALL validate that a netgroup referenced by this attribute exists and is enabled. If the netgroup is not defined, or if it has Bannister, Mark R. Expires September 24, 2015 [Page 14] Internet Draft DBIS Netgroups and Netservices March 23, 2015 been disabled with the disableObject attribute, then it SHALL NOT be included in the response to the client. 5. Attribute Syntax The following syntaxes are used by the attributes defined in this document: ----------------------------------------------------------- Syntax OID Value Reference ----------------------------------------------------------- 1.3.6.1.4.1.1466.115.121.1.15 Directory String [RFC4517] 1.3.6.1.4.1.1466.115.121.1.26 IA5 String [RFC4517] ----------------------------------------------------------- 6. Implementation Notes 6.1. NIS Netgroups DBIS netgroups differ in their definition from NIS netgroups and from netgroups defined in RFC2307, which use triples of the format: (host,user,domain) where "host" is the canonical host name of the client system requesting a service, "user" is the user name requesting a service, and "domain" is the domain name of the service being requested. If the host, user or domain field is blank then the NIS netgroup applies to any client host, user or domain respectively. The most common use of NIS netgroups is for defining groups of hosts and users while the domain component is typically left blank. DBIS separates the triple into two separate attributes, netgroupHost and netgroupUser, and also redefines the domain component to be used to represent all hosts in a given domain. A set of mapping rules may be used for converting between the DBIS netgroup string representation described in sections 3.1.3.2 and 3.1.3.3 and a list of NIS netgroup triples. In the following grammar, the rule beginning t- is selected based on the information supplied in the netgroupHost or netgroupUser attribute. By removing the leading t- one can deduce the name of the matching rule from 3.1.3.2 or 3.1.3.3: t-host = LPAREN host COMMA COMMA RPAREN t-host-domain = LPAREN host-domain COMMA COMMA RPAREN t-all-domain = LPAREN COMMA COMMA domain RPAREN t-user = LPAREN COMMA user COMMA RPAREN t-user-host = LPAREN host COMMA user COMMA RPAREN Bannister, Mark R. Expires September 24, 2015 [Page 15] Internet Draft DBIS Netgroups and Netservices March 23, 2015 t-user-host-domain = LPAREN host-domain COMMA user COMMA RPAREN t-user-all-domain = LPAREN COMMA user COMMA domain RPAREN triple-any = t-host / t-host-domain / t-all-domain triple-any =/ t-user / t-user-host / t-user-host-domain triple-any =/ t-user-all-domain triples = t-any *(SPACE t-any) 6.2. Forming netgroupHost or netgroupUser Entries Netgroup membership SHALL be expressed in terms of canonical names only. Host names SHALL therefore be alias de-referenced before used in a netgroupHost attribute or netgroup filter. As the user name component of the netgroupUser attribute is case sensitive while the other components are not, a DUA SHALL convert host name and domain name components to lower case characters prior to forming a netgroupHost or netgroupUser attribute or filter containing one. This is to ensure that the exact case match performed on these attributes will not fail on host name or domain name due to a case mismatch. 6.3. Common Search Filters 6.3.1. Search Parameters This section provides example LDAP search filters [RFC4515] for obtaining database entries with commonly used input criteria. To simplify the examples, all databases are assumed to have been defined with only a single configuration map entry (dbisMapConfig). However, [draft-bannister-dbis-mapping-00] permits multiple such entries, so an implementation must support this, increasing the number of search operations as necessary to locate all of the database entries in scope. This document does not consider how to incorporate passwd or hosts database entries that use the exactNetgroup attribute as an alternative means of specifying netgroup membership. For example search filters using the passwd or hosts databases, see [draft- bannister-dbis-passwd-00] and [draft-bannister-dbis-hosts-00] respectively. The base DN used in the search operations described in this section comes from the dbisMapDN attribute assigned to the dbisMapConfig entry. Note that a dbisMapConfig entry may have more than one of these. Bannister, Mark R. Expires September 24, 2015 [Page 16] Internet Draft DBIS Netgroups and Netservices March 23, 2015 Where it appears in search filters below, the text "dbisMapFilter" refers to the value assigned to the attribute of the same name in the corresponding dbisMapConfig entry. Note that netgroup and netservice databases have different dbisMapConfig entries. Class and attribute names used in these search filters may be modified by the dbisMapClass and dbisMapAttr attribute assigned to the dbisMapConfig entry. In all filters below, fully-qualified DNS domain names are to be obtained as described in section 3.1.5. 6.3.2. Find Configuration Map for Domain To locate the configuration map for a given DBIS domain, search for entries underneath the dbisDomainObject entry [draft-bannister-dbis- mapping-00]. Netgroup maps can be found with the following search filter: (&(objectClass=dbisNetgroupConfig)(!(disableObject=TRUE))) Netservice maps can be found with: (&(objectClass=dbisNetserviceConfig)(!(disableObject=TRUE))) 6.3.3. List All Entries Netgroups and netservices are enumerated by applying the dbisMapFilter as follows: (&(dbisMapFilter)(!(disableObject=TRUE))) This filter returns all enabled entries. 6.3.4. Find Specific Netgroup or Netservice If a netgroup or netservice is known by "name", its definition is located using the following search filter: (&(dbisMapFilter)(!(disableObject=TRUE))(en=name)) If this is a netservice and the entry returned is a netserviceDescriptor and not a netserviceObject, then an additional test SHALL be performed for the disableObject attribute on the parent netserviceObject to determine whether this netservice is disabled, as defined in section 3.2.3.6. When searching for specific netservices by name, this filter may Bannister, Mark R. Expires September 24, 2015 [Page 17] Internet Draft DBIS Netgroups and Netservices March 23, 2015 return more than one result, as namespace uniqueness is determined by the path and not by the name of a single LDAP entry. 6.3.5. Find Netgroups By Membership To obtain a list of all netgroups that a user with the login name "user", who is logged into a system named "host" with the fully- qualified DNS domain name "domain" is a member of, the following search filter may be used: (&(dbisMapFilter)(!(disableObject=TRUE))(| (netgroupUser=user) (netgroupUser=user@host.domain) (netgroupUser=user@\2a.domain) )) To obtain a list of all netgroups that a system named "host" with the fully-qualified DNS domain name "domain" is a member of, the following search filter may be used: (&(dbisMapFilter)(!(disableObject=TRUE))(| (netgroupHost=host) (netgroupHost=host.domain) (netgroupHost=\2a.domain) )) If the user or host is not an explicit member of the netgroup, implicit membership needs to be determined by recursively examining each exactNetgroup attribute in the result set as the netgroup may inherit members from other netgroups. An example search filter for achieving this is in section 6.3.6. To prevent infinite loops, a DUA SHALL NOT test any netgroup more than once during a single membership operation. 6.3.6. Member of a Specific Netgroup To determine if a user with the login name "user", who is logged into a system named "host" with the fully-qualified DNS domain name "domain" is a member of a specific netgroup called "name", the following search filter may be used: (&(dbisMapFilter)(!(disableObject=TRUE))(en=name)(| (netgroupUser=user) (netgroupUser=user@host.domain) (netgroupUser=user@\2a.domain) )) To determine if a system named "host" with the fully-qualified DNS Bannister, Mark R. Expires September 24, 2015 [Page 18] Internet Draft DBIS Netgroups and Netservices March 23, 2015 domain name "domain" is a member of a specific netgroup called "name", the following search filter may be used: (&(dbisMapFilter)(!(disableObject=TRUE))(en=name)(| (netgroupHost=host) (netgroupHost=host.domain) (netgroupHost=\2a.domain) )) If the user or host is not an explicit member of the netgroup, implicit membership needs to be determined by recursively examining each exactNetgroup attribute in the result set. This can be achieved by repeating the above search filters on successive netgroups. A DUA SHALL NOT test any netgroup more than once during a single membership operation. 6.3.7. Which Netgroups are Enabled? Sometimes it is necessary to determine from a list of netgroups which ones are enabled. This can be performed using one search operation. In this example the netgroups being tested are called "netgr1", "netgr2" and "netgr3": To determine if a system named "host" with the fully-qualified DNS domain name "domain" is a member of a specific netgroup called "name", the following search filter may be used: (&(dbisMapFilter)(!(disableObject=TRUE)) (|(en=netgr1)(en=netgr2)(en=netgr3))) 6.3.8. Find Netservices By Membership To obtain a list of all netservices that are assigned to the netgroup called "netgroup", the following search filter may be used: (&(dbisMapFilter)(!(disableObject=TRUE)) (exactNetgroup=netgroup)) The netservice name may then be derived from the DNs of the returned entries. For example "en=anonymous,en=login,en=web,dbisMapDN" represents the netservice web:login/anonymous. Each entry returned may list additional netservices to be assigned by use of the exactNetservice attribute. If any netservice entry found is a netserviceDescriptor and not a netserviceObject, then an additional test SHALL be performed for the disableObject attribute on the parent netserviceObject to determine Bannister, Mark R. Expires September 24, 2015 [Page 19] Internet Draft DBIS Netgroups and Netservices March 23, 2015 whether this netservice is disabled, as defined in section 3.2.3.6. 6.3.9. Member of a Specific Netservice To determine if a netgroup has been assigned a specific netservice, the netservice name must be split into a path name consisting of 'en=...,en=...' so that a specific entry with the object class netserviceDescriptor can be looked up underneath dbisMapDN. If this entry has an exactNetgroup attribute matching the desired member name, then a match has been found. For example, the netservice web:login/anonymous would become the path 'en=anonymous,en=login,en=web' underneath dbisMapDN. The netserviceDescriptor matching this DN contains the definition of the given netservice. The exactNetgroup attribute associated with this entry contains the list of netgroups assigned the web:login/anonymous netservice. Additionally, the following search filter can be used to locate netservices that include one called "netservice" in their definition and which are assigned to a netgroup called "netgroup": (&(dbisMapFilter)(!(disableObject=TRUE)) (exactNetservice=netservice) (exactNetgroup=netgroup)) If any entry is returned by a search with this filter then a match has been found. 7. Security Considerations The security considerations discussed in [draft-bannister-dbis- mapping-00] apply equally to this document. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2849] Good, G., "The LDAP Data Interchange Format (LDIF) - Technical Specification", RFC 2849, June 2000. [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006. Bannister, Mark R. Expires September 24, 2015 [Page 20] Internet Draft DBIS Netgroups and Netservices March 23, 2015 [RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006. [RFC4515] Smith, M., Ed., and T. Howes, "Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters", RFC 4515, June 2006. [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules", RFC 4517, June 2006. [RFC4519] Sciberras, A., Ed., "Lightweight Directory Access Protocol (LDAP): Schema for User Applications", RFC 4519, June 2006. [RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. [draft-bannister-dbis-mapping-00] Bannister, M. R., "Directory-Based Information Services: Mapping Objects", draft-bannister- dbis-mapping-00.txt, August 2013. [draft-bannister-dbis-passwd-00] Bannister, M. R., "Directory-Based Information Services: Users and Groups", draft-bannister- dbis-passwd-00.txt, August 2013. [draft-bannister-dbis-hosts-00] Bannister, M. R., "Directory-Based Information Services: Hosts, Networks and Devices", draft- bannister-dbis-hosts-00.txt, August 2013. 8.2. Informative References [X.500] Weider, C. and J. Reynolds, "Executive Introduction to Directory Services Using the X.500 Protocol", FYI 13, RFC 1308, March 1992. [NIS] Wikipedia, "Network Information Service", . Author's Address Mark R. Bannister Prose Consulting Ltd. 73 Claygate Lane Esher, Surrey, KT10 0BQ United Kingdom Bannister, Mark R. Expires September 24, 2015 [Page 21] Internet Draft DBIS Netgroups and Netservices March 23, 2015 Tel: +44 7764 604316 EMail: dbis@proseconsulting.co.uk Bannister, Mark R. Expires September 24, 2015 [Page 22]