Netgroups
Netgroups have become a daily staple for NIS administrators. They allow machines and/or users to be collected together for various administrative tasks such as grouping machines together for use in the tcp_wrappers files /etc/hosts.allow and /etc/hosts.deny . In this next example, you restrict access via ssh only to members of the sysadmin netgroup:
# /etc/hosts.deny sshd: ALL . . . # /etc/hosts.allow sshd: @sysadmin
Netgroups can be composed solely of individual hosts:
sysadmin (garion.plainjoe.org,-,-)(silk.plainjoe.org,-,-)
or other netgroups:
all_sysadmin sysadmin secure_clients
or of any combination of the two.
RFC 2307 describes the structural
nisNetgroup
object class (Figure 6-7), which can be used to represent netgroups as
directory entries. The cn
attribute holds the name
of the netgroup, the nisNetgroupTriple
attribute
stores the (host, user, NIS-domain) entries, and the
memberNisNetgroup
attribute stores the names of
any nested netgroups.
Before adding any netgroup entries to the directory, you must create
the container ou
. By convention, I will use the
ou=netgroup
organizational unit for storing
netgroups in this example:
dn: ou=netgroup,dc=plainjoe,dc=org objectclass: organizationalUnit ou: netgroup
After passing through PADL’s migrate_netgroup.pl tool, the sysadmin netgroup will be represented by this LDIF entry:
$ ./migrate_netgroup.pl ...
Get LDAP System Administration now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.