SUMMARY: LDAP netgroups

From: Victor Engle <>
Date: Tue Oct 12 2004 - 13:16:36 EDT
I got responses from Lorraine Baran, Rob De Langhe and Jason Grove. 
Lorraine and Jason had working configurations but unfortunately I was 
unable to duplicate their success. Rob said that he didn't believe the 
netgroups could be used in /etc/passwd anymore and suggested adding code 
to /etc/profile to control logins.

In researching the problem further it seems that Sun introduced a bug 
with the Solaris8 ldap client patch 108993-18 when the old 
was replaced by several smaller modules. Some of the bug reports on 
sunsolve suggested that a work around would be to use the old pam 
modules which still exist in /usr/lib/security but this also didn't work 
for me. The problems I have seen are described on Sunsolve here:

I did manage to use LDAP netgroups to limit logins on a system using an 
unsupported pam module that a Sun security engineer had posted on here I intend to use this 
module as a work around until the compat mode problem is resolved.


Victor Engle wrote:

> Hello List,
> I have a Sun Directory server v5.2 configured as a naming service for 
> my Sun workstation. It currently provides account info, 
> authentication, group info and auto_* map info. I have been trying to 
> get netgroups to work because my goal is to use LDAP as a naming 
> service for servers and I need to be able to allow only specific users 
> access to the servers. For example on an oracle server I would want to 
> restrict access to system and database  admins by adding something 
> like "+@sys_dba_admins" The sus_dba_admins would be an ldap netgroup 
> containing nis triples or netgroups for the sys admins and dba's.
> I configured nsswitch.conf for compatibility mode. Here is the 
> relavent part of my nsswitch.conf:
> passwd:     files compat
> passwd_compat: ldap
> group:      files compat
> group_compat: ldap
> netgroup:   ldap
> Here is my ldap netgroup entry:
> cn=skylab,ou=netgroup,dc=domain_central,dc=local
> objectClass=nisNetgroup
> objectClass=top
> cn=skylab
> nisNetgroupTriple=(,vengle,)
> nisNetgroupTriple=(,fred,)
> creatorsName=cn=directory manager
> modifiersName=cn=directory manager
> createTimestamp=20041008175127Z
> modifyTimestamp=20041008175127Z
> And here is the /etc/passwd file entry. (pwconv added the entry to 
> /etc/shadow)
> +@skylab:x:::::
> In this configuration, no ldap account can login. The user fred is an 
> ldap user and is listed in the skylab netgroup. If I add "+fred" to 
> the passwd file then fred can login so I know the 1 compatibility is 
> working, just not with the netgroup.
> Do I have a configuration error or is this a bug?
> Any assistance would be appreciated.
> Thanks,
> Vic
> _______________________________________________
> sunmanagers mailing list
sunmanagers mailing list
Received on Tue Oct 12 13:22:17 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:38 EST