SUMMARY: LDAP netgroups

From: Victor Engle <sunmanager_at_summerseas.com>
Date: Tue Oct 12 2004 - 13:16:36 EDT
I got responses from Lorraine Baran, Rob De Langhe and Jason Grove. 
Lorraine and Jason had working configurations but unfortunately I was 
unable to duplicate their success. Rob said that he didn't believe the 
netgroups could be used in /etc/passwd anymore and suggested adding code 
to /etc/profile to control logins.

In researching the problem further it seems that Sun introduced a bug 
with the Solaris8 ldap client patch 108993-18 when the old pam_unix.so 
was replaced by several smaller modules. Some of the bug reports on 
sunsolve suggested that a work around would be to use the old pam 
modules which still exist in /usr/lib/security but this also didn't work 
for me. The problems I have seen are described on Sunsolve here:

http://sunsolve.sun.com/search/document.do?assetkey=1-1-5025128-1
http://sunsolve.sun.com/search/document.do?assetkey=1-1-5019501-1&searchclause=ldap%20nsswitch.conf%20compat

I did manage to use LDAP netgroups to limit logins on a system using an 
unsupported pam module that a Sun security engineer had posted on 
playground.sun.com here 
http://playground.sun.com/~darrenm/pam_netgroup.c. I intend to use this 
module as a work around until the compat mode problem is resolved.



 <http://sunsolve.sun.com/search/document.do?assetkey=1-21-108993-33-1>



Victor Engle wrote:

> Hello List,
>
> I have a Sun Directory server v5.2 configured as a naming service for 
> my Sun workstation. It currently provides account info, 
> authentication, group info and auto_* map info. I have been trying to 
> get netgroups to work because my goal is to use LDAP as a naming 
> service for servers and I need to be able to allow only specific users 
> access to the servers. For example on an oracle server I would want to 
> restrict access to system and database  admins by adding something 
> like "+@sys_dba_admins" The sus_dba_admins would be an ldap netgroup 
> containing nis triples or netgroups for the sys admins and dba's.
>
> I configured nsswitch.conf for compatibility mode. Here is the 
> relavent part of my nsswitch.conf:
>
> passwd:     files compat
> passwd_compat: ldap
> group:      files compat
> group_compat: ldap
> netgroup:   ldap
>
> Here is my ldap netgroup entry:
>
> cn=skylab,ou=netgroup,dc=domain_central,dc=local
> objectClass=nisNetgroup
> objectClass=top
> cn=skylab
> nisNetgroupTriple=(,vengle,)
> nisNetgroupTriple=(,fred,)
> creatorsName=cn=directory manager
> modifiersName=cn=directory manager
> createTimestamp=20041008175127Z
> modifyTimestamp=20041008175127Z
>
> And here is the /etc/passwd file entry. (pwconv added the entry to 
> /etc/shadow)
>
> +@skylab:x:::::
>
> In this configuration, no ldap account can login. The user fred is an 
> ldap user and is listed in the skylab netgroup. If I add "+fred" to 
> the passwd file then fred can login so I know the 1 compatibility is 
> working, just not with the netgroup.
>
> Do I have a configuration error or is this a bug?
>
> Any assistance would be appreciated.
>
> Thanks,
> Vic
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Oct 12 13:22:17 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:38 EST