This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Netgroup
Netgroup

Version management

Difference between version and

At line 1 added 143 lines
!!! Overview
A netgroup defines a network-wide group of hosts and users. Use a netgroup to restrict access to shared [NFS] filesystems and to restrict remote login and shell access.
Network groups are stored in a network information services, such as [LDAP], [NIS], or NIS+, not in a local file.
[{$pagename}] are a great way to identify people and machines under nice, neat names for access control. A good example of using this feature is for a site where users are not allowed to log in to server machines. You can create a netgroup for the system administrators and let in members of the group through a special entry in the /etc/passwd file.
[{$pagename}] have become a daily staple for NIS administrators. They allow machines and/or users to be collected together for various administrative tasks such as grouping machines together for use in the tcp_wrappers files /etc/ hosts .allow and /etc/hosts.deny . In this next example, you restrict access via ssh only to members of the sysadmin [{$pagename}]:
{{{
# /etc/hosts.deny
sshd: ALL
. . .
# /etc/hosts.allow
sshd: @sysadmin
}}}
!! What are NIS netgroups good for?
First, it's important to understand what a NIS [netgroup] gains the average system administrator. NIS [Netgroup]s provide the ability to perform such tasks as:
* Control both user and group login access to individual or groups of machines.
* Manage NFS access control lists.
* Control user and group sudo command access.
* Execute remote commands or interactive logins on groups of machines with dsh (distributed shell).
* Manage the configuration of your entire network on a role basis with an IDM Implementation.
These are just a few of the excellent uses for NIS netgroups. If we take this functionality and implement an LDAP based backend, we can not only take advantage of these tools but gain the security, manageability and fault tolerance of Fedora Directory Server.
!! LDAP Setup
RFC 2307 describes the setup of the LDAP entries to support [{$pagename}].
The structural [nisNetgroup] as directory entries. The attributes are:
* [cn] - The cn attribute holds the name of the netgroup
* [nisNetgroupTriple] - stores the (host, user, NIS-domain) entries
* [memberNisNetgroup] - stores the names of any nested netgroups.
Before adding any [{$pagename}] entries to the directory, you must create a container where [{$pagename}]s are located. By convention, the ou=netgroup organizational unit is often used for storing [{$pagename}]:
{{{
dn: ou=netgroup,dc=willeke,dc=com
objectclass: organizationalUnit
ou: netgroup
}}}
the sysadmin netgroup could be represented by this LDIF entry:
{{{
dn: cn=sysadmin,ou=netgroup,dc=plainjoe,dc=org
objectClass: nisNetgroup
objectClass: top
cn: sysadmin
nisNetgroupTriple: (garion.plainjoe.org,,)
nisNetgroupTriple: (silk.plainjoe.org,,)
}}}
! [LDAP Client Configuration]
After adding these entries to your directory, you must configure the [LDAP Client Configuration] to use the correct search suffix which would be the LDAP container which is the parent of all your [{$pagename}].
! [Name Service Switch] File
Finally, you must inform the the operating system to pass off netgroup queries to the LDAP directory by updating the netgroup entry in [Name Service Switch] :
{{{
## /etc/nsswitch.conf
## . . .
netgroup: ldap
}}}
!! Query for [{$pagename}]
The [getent|Getent] tool can be used to query NSS for specific [{$pagename}] by giving the group name as a command-line parameter:
{{{
getent netgroup sysadmin
sysadmin (sa.willeke.com, , ) (xenhost.willeke.com, , )
}}}
! /etc/hosts.allow
It would also be a good idea to verify that the /etc/hosts.allow listed in the beginning of the section obeyed the netgroups membership by actually attempting to log on to the machine using ssh from a host other than garion or silk .
!!Location of netgroup NIS
As a reference, Netgroup information is kept in the /etc/netgroup file and shared via NIS.
The format of a netgroups file is as follows:
{{{
groupname member-list
}}}
groupname is the name of the group being defined, and the member-list consists of other group names or tuples of specific data. Each entry in the member-list is separated by a whitespace.
!! Tuples
As LDAP implementation [{$pagename}] can be used for all host within an entire enterprise, the configuration of [{$pagename}]s in LDAP is a little different.
The configuration use a tuple containing specific data in this form:
{{{
(hostname, username, domain name)
}}}
* hostname is the name of the machine for which that entry is valid
* username is the login of the person being referenced
* domain name is the NIS domain name. Any entry left blank is considered a wildcard
!!Some Examples
or example,
{{{
(technics,,)
}}}
implies [everybody] on the [host] technics.
An entry with a dash in it (-) means that there are no valid values for that entry. For example,
{{{
(-,sshah,)
}}}
Here we imply the user sshah and nothing else. This is useful for generating a list of users or machine names for use in other netgroups.
__NOTE:__ We recommend that the format to be used is:
{{{
(,sshah,)
}}}
We have seen some implementations that do not like the use of the "-" for none.
!! Referencing Netgroups
In files where netgroups are supported (such as /etc/passwd), you reference them by placing an @ sign in front of them. If you want to give the netgroup sysadmins consisting of
{{{
(,sshah,) (,heidis,)
}}}
permission to log in to a server, you add this line to your /etc/passwd file:
{{{
+@sysadmins
}}}
An example of a full netgroups file follows:
{{{
sysadmins (,sshah,) (,heidis,) (,jnguyen,) (,mpham,)
servers (numark,,) (vestax,,)
clients (denon,,) (technics,,) (mtx,,)
research-1 (,boson,) (,jyom,) (,weals,) (,jaffe,)
research-2 (,sangeet,) (,mona,) (,paresh,) (,manjari,) (,jagdish,)
consultants (,arturo,)
allusers sysadmins research-1 research-2 consultants
allhosts servers clients
}}}
!! [System Access Control using LDAP backed NIS Netgroups]
Now that we know what [{$pagename}]s are, we can find out how to do [System Access Control using LDAP backed NIS Netgroups].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop