|[ Team LiB ]|
Netgroups have become a daily staple for NIS administrators. They allow machines and/or users to be collected together for various administrative tasks such as grouping machines together for use in the tcp_wrappers files /etc/hosts.allow and /etc/hosts.deny. In this next example, you restrict access via ssh only to members of the sysadmin netgroup:
# /etc/hosts.deny sshd: ALL . . . # /etc/hosts.allow sshd: @sysadmin
Netgroups can be composed solely of individual hosts:
or other netgroups:
all_sysadmin sysadmin secure_clients
or of any combination of the two.
RFC 2307 describes the structural nisNetgroup object class (Figure 6-7), which can be used to represent netgroups as directory entries. The cn attribute holds the name of the netgroup, the nisNetgroupTriple attribute stores the (host, user, NIS-domain) entries, and the memberNisNetgroup attribute stores the names of any nested netgroups.
Before adding any netgroup entries to the directory, you must create the container ou. By convention, I will use the ou=netgroup organizational unit for storing netgroups in this example:
dn: ou=netgroup,dc=plainjoe,dc=org objectclass: organizationalUnit ou: netgroup
$ ./migrate_netgroup.pl /etc/netgroup dn: cn=sysadmin,ou=netgroup,dc=plainjoe,dc=org objectClass: nisNetgroup objectClass: top cn: sysadmin nisNetgroupTriple: (garion.plainjoe.org,-,-) nisNetgroupTriple: (silk.plainjoe.org,-,-)
dn: cn=all_sysadmin,ou=netgroup,dc=plainjoe,dc=org objectClass: nisNetgroup objectClass: top cn: all_hosts memberNisNetgroup: sysadmin memberNisNetgroup: secure_clients
## /etc/ldap.conf ## <remaining parameters imitted> ## Configure the search parameters for netgroups. nss_base_netgroup ou=netgroup,dc=plainjoe,dc=org?one
Finally, you must inform the the operating system to pass off netgroup queries to the LDAP directory by updating the netgroup entry in /etc/nsswitch.conf:
## /etc/nsswitch.conf ## . . . netgroup: ldap
$ getent netgroup sysadmin sysadmin (garion.plainjoe.org,-,-)(silk.plainjoe.org,-,-)
It would also be a good idea to verify that the /etc/hosts.allow listed in the beginning of the section obeyed the netgroups membership by actually attempting to log on to the machine using ssh from a host other than garion or silk.
There are many services that can use netgroups. The tcp_wrappers security package is only one example. Another frequent use of netgroups is to utilize them to restrict access to exported NFS file systems (refer to the exports(5) manpage). Any place where these administrative groups were used in your NIS domain should remain valid for these new nss_ldap-enabled systems.
|[ Team LiB ]|