System Access Control using LDAP backed NIS Netgroups


There are many ways to control both login and service level authentication with Fedora Directory Server. [1]

This page discusses a specific implementation using LDAP backed NIS Netgroups and detail what exactly makes them so powerful.


Some knowledge of NIS and the netgroup triple syntax is in order. For those that do not have a netgroup man page available, you may see the Sun NIS FAQ, Section 3.15 specifically.

An understanding of PAM and the PAM module stack Howto:PAM

How does it work?#

netgroup entries are stored as an objectClass of type nisNetgroup in the directory server. The relative distinguished name attribute is typically cn (common name). There are two important attributes in creating the netgroup. Note that they are not mutually exclusive. Also, neither are required (sometimes having an empty netgroup is as valuable as one populated with values).


nisNetgroupTriple can be used to describe a user (,bobby,example.com) or a machine name (shellserver1,,example.com). This attribute can have multiple values.


memberNisNetgroup is a very powerful attribute. This allow the current entry to be merged the attribute values of another netgroup into the current one by simply listing the name (cn) of the merging netgroup. This attribute can have multiple values as well.

You also want to attach a description attribute and value to your object. You were planning on describing that netgroup, weren't you?

Let's look at an Example LDIF:

dn: cn=QAUsers,ou=Netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: QAUsers
nisNetgroupTriple: (,bobby,example.com)
nisNetgroupTriple: (,joey,example.com)
description: All QA users in my organization

We can see here that the users 'bobby' and 'joey' belong to the QAUsers netgroup. Now, any tool that will query for the QAUsers netgroup will get back these values and can act upon them. With nss_ldap appropriately configured and /etc/nsswitch.conf conveniently pointing netgroup queries to ldap, we can test this entry on the command line like so:

# getent netgroup QAUsers
QAUsers (,bobby,example.com) (,joey,example.com)

The getent command is part of the glibc-common package on Fedora. It can be used to query any of the available NSS databases.

Now, let's look at an LDIF defining which machines are QA systems on our network:

dn: cn=QASystems,ou=Netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: QASystems
nisNetgroupTriple: (qa01,,example.com)
nisNetgroupTriple: (qa02,,example.com)
description: All QA systems on our network

OK, so we have our users and systems in place, now how do we give QAUsers login access to QASystems? Enter PAM's access.conf.

PAM's access.conf#

PAM has an often overlooked access control feature, the configuration of which is typically located in /etc/security/access.conf. It has the ability to use UNIX users and groups as well as netgroups to control remote and local console access to the system. The documentation of the syntax should be contained within the configuration file itself.

PAM's access control module is invoked with pam_access.so. Fedora includes a reference to pam_access.so in /etc/pam.d/crond, which in turn references /etc/security/access.conf. To prevent issues with crond, it is best to create separate access control file for netgroups with this line in /etc/pam.d/system-auth:

account required pam_access.so accessfile=/etc/security/access.netgroup.conf

We can give our users remote login access from our 10.x.x.x network with by modifying /etc/security/access.conf and adding this line:

+ : @QAUsers@@QASystems : 10.


Finally to enable the netgroup query, the NISDOMAIN must be defined (in /etc/sysconfig/network) even though it is not used. This is required because the innetgr() call is used and it requires a nisdomainname as a paramter. Once the functions resolves to LDAP via nsswitch.conf, the nisdomainname in no longer required.

NOTE: PAM operates on a first match basis for granting access. This implies you want to end your ACL list by denying all unmatched entries, but before you do that make sure root and/or your admin users have been matched!

For example, adding root for console only, users in the Admins netgroup remote access and denying all other unmatched entries:

+ : root : LOCAL
+ : @Admins : 10.
- : ALL : ALL

An advantage to using machine groups in the access.conf is the ability to push out this access.conf configuration file to all systems in your network, regardless if they are related to QA. This gives an admin the ability to maintain a central access control list of general user and group pairs, which can be deployed via tools like CFEngine. If a QA user attempts to login to a non-QA system, PAM will first check for the user's name in the users portion of the ACL. If a match is found, it will then check if the current machine's hostname exists in the netgroup or machine name section. If the current machine does not belong to the netgroup, the ACL fails and the next one will be tried.

Since we have created our own framework of system and user group ACLs inside the LDAP server, we have decoupled access control from the actual posixAccount and posixGroup entries. This means that the user no longer requires an account in the LDAP server itself. A simple entry in /etc/passwd is good enough to apply access control in this manner. With this infrastructure in place, we can now start up Fedora's Admin Console or our favorite LDAP editor and quickly add or remove login access to users and machines!

More Information#

There might be more information for this subject on one of the following:
[#1] A lot of the content on this page is derived from http://directory.fedoraproject.org/wiki/Howto:Netgroups