SUMMARY: LDAP authentication using netgroups.

From: Jeremy Przygode <>
Date: Fri Jan 04 2002 - 02:00:13 EST

I didn't really get any answers from anyone except for some questions 
from people who had the same need.  I did however, get it to work in the 
meantime and for their and other people's benefit will post this summary.

I was able to restrict access to certain users on servers using LDAP 
authentication and netgroups.  This was done by creating netgroups in the 
LDAP server and then modifying the /etc/nsswitch.conf file to accommidate 
these changes.

The following LDIFs were used to create the netgroups in the LDAP server.

dn: cn=sysadmins,ou=netgroup,dc=sample,dc=com
changetype: add
cn: sysadmins
nisnetgrouptriple: (,jeremy,)
nisnetgrouptriple: (,user2,)
nisnetgrouptriple: (,user3,)
nisnetgrouptriple: (,user4,)
nisnetgrouptriple: (,user5,)
objectclass: top
objectclass: nisNetGroup

dn: cn=sysadmin-netgroup,ou=netgroup,dc=sample,dc=com
changetype: add
cn: sysadmin-netgroup
nisnetgrouptriple: (,sysadmins,
membernisnetgroup: sysadmins
objectclass: top
objectclass: nisNetGroup

Once this was loaded into the LDAP server, one needs to use this sample /etc/nsswitch.conf file.

# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.

passwd:     compat files 
passwd_compat: ldap

group:      files ldap [TRYAGAIN=continue]

# consult /etc "files" only if ldap is down. 
hosts:      files dns ldap [TRYAGAIN=continue]
ipnodes:    files ldap [TRYAGAIN=continue]

# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes:    ldap [NOTFOUND=return] files

networks:   ldap [TRYAGAIN=continue] files
protocols:  ldap [TRYAGAIN=continue] files
rpc:        ldap [TRYAGAIN=continue] files
ethers:     ldap [TRYAGAIN=continue] files
netmasks:   ldap [TRYAGAIN=continue] files      
bootparams: ldap [TRYAGAIN=continue] files
publickey:  ldap [TRYAGAIN=continue] files

netgroup:   ldap [TRYAGAIN=continue]

automount:  files ldap [TRYAGAIN=continue]
aliases:    files ldap [TRYAGAIN=continue]

# for efficient getservbyname() avoid ldap
services:   files ldap [TRYAGAIN=continue]
sendmailvars:   files

# role-based access control
auth_attr: files ldap [TRYAGAIN=continue]
exec_attr: files ldap [TRYAGAIN=continue]
prof_attr: files ldap [TRYAGAIN=continue]
user_attr: files ldap [TRYAGAIN=continue]

# audit
audit_user: files ldap [TRYAGAIN=continue]
project:    files ldap [TRYAGAIN=continue]


Notice that the passwd entry does not have ldap in it, but compat files
then passwd_compat: ldap underneath it.  This causese the server to check the local files for netgroups and then check the LDAP server for info on those netgroups.

Now you need to add the netgroups you want into the /etc/passwd and /etc/shadow files.

Do this by editing the /etc/passwd file and add the netgroup to the end of the file.

echo "+@sysadmin-netgroup" >> /etc/passwd

then run pwconv to add it to /etc/shadow.

That's it, now all the users defined in the sysadmin-netgroup netgroup are on the server and no other users.  What's also nice is that the server is completely unaware of any other users in the ldap system.  They don't exist.

Hope that helps.


On Thu, 20 Dec 2001, Jeremy Przygode wrote:

>> All,
>> I have just implemented iplanet's LDAP server to provide centralized 
>> authentication services for a mainly Solaris only environment.  It was 
>> setup according to the Sun Blueprints "Solaris and LDAP Naming Services" book.
>> I have the following question.
>> How can I setup the LDAP server either through the use of netgroups or 
>> LDAP ACIs to restrict ssh login access for some users but allow other 
>> users.  So I want to setup the following type of scenario.
>> Create a webserver group and allow only web admins to log into them using 
>> ssh.  Then create a dbserver group and only allow dbas and sys admins to 
>> login, but no normal users.  This type of thing.
>> I have scoured the Internet and can't find anything really relevant.  I 
>> know about netgroups, but they only seem to support rlogin etc not telnet 
>> or ssh.  Maybe I am mistaken.  Any help would be greatly appreciated.
>> TIA,
>> Jeremy Przygode
>> _______________________________________________
>> sunmanagers mailing list
sunmanagers mailing list
Received on Fri Jan 4 01:02:14 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:31 EST