LDAPWiki: Netgroup

Overview#

A netgroup defines a network-wide group of hosts and users. Use a netgroup to restrict access to shared NFS filesystems and to restrict remote login and shell access.

Network groups are stored in a network information services, such as LDAP, NIS, or NIS+, not in a local file.

Netgroup are a great way to identify people and machines under nice, neat names for access control. A good example of using this feature is for a site where users are not allowed to log in to server machines. You can create a netgroup for the system administrators and let in members of the group through a special entry in the /etc/passwd file.

Netgroup have become a daily staple for NIS administrators. They allow machines and/or users to be collected together for various administrative tasks such as grouping machines together for use in the tcp_wrappers files /etc/ hosts .allow and /etc/hosts.deny . In this next example, you restrict access via ssh only to members of the sysadmin Netgroup:

# /etc/hosts.deny 
sshd: ALL 
. . .  
# /etc/hosts.allow 
sshd: @sysadmin

What are NIS netgroups good for?#

First, it's important to understand what a NIS netgroup gains the average system administrator. NIS Netgroups provide the ability to perform such tasks as:

Control both user and group login access to individual or groups of machines.
Manage NFS access control lists.
Control user and group sudo command access.
Execute remote commands or interactive logins on groups of machines with dsh (distributed shell).
Manage the configuration of your entire network on a role basis with an IDM Implementation.

These are just a few of the excellent uses for NIS netgroups. If we take this functionality and implement an LDAP based backend, we can not only take advantage of these tools but gain the security, manageability and fault tolerance of Fedora Directory Server.

LDAP Setup#

RFC 2307 describes the setup of the LDAP entries to support Netgroup. The structural nisNetgroup as directory entries. The attributes are:

cn - The cn attribute holds the name of the netgroup
nisNetgroupTriple - stores the (host, user, NIS-domain) entries
memberNisNetgroup - stores the names of any nested netgroups.

Before adding any Netgroup entries to the directory, you must create a container where Netgroups are located. By convention, the ou=netgroup organizational unit is often used for storing Netgroup:

dn: ou=netgroup,dc=willeke,dc=com
objectclass: organizationalUnit
ou: netgroup

the sysadmin netgroup could be represented by this LDIF entry:

dn: cn=sysadmin,ou=netgroup,dc=plainjoe,dc=org 
objectClass: nisNetgroup 
objectClass: top 
cn: sysadmin 
nisNetgroupTriple: (garion.plainjoe.org,,) 
nisNetgroupTriple: (silk.plainjoe.org,,)

LDAP Client Configuration #

After adding these entries to your directory, you must configure the LDAP Client Configuration to use the correct search suffix which would be the LDAP container which is the parent of all your Netgroup.

Name Service Switch File#

Finally, you must inform the the operating system to pass off netgroup queries to the LDAP directory by updating the netgroup entry in Name Service Switch :

## /etc/nsswitch.conf 
## . . .  
netgroup: ldap

Query for Netgroup#

The getent tool can be used to query NSS for specific Netgroup by giving the group name as a command-line parameter:

getent netgroup sysadmin
sysadmin             (sa.willeke.com, , ) (xenhost.willeke.com, , )

/etc/hosts.allow#

It would also be a good idea to verify that the /etc/hosts.allow listed in the beginning of the section obeyed the netgroups membership by actually attempting to log on to the machine using ssh from a host other than garion or silk .

Location of netgroup NIS#

As a reference, Netgroup information is kept in the /etc/netgroup file and shared via NIS.

The format of a netgroups file is as follows:

groupname member-list

groupname is the name of the group being defined, and the member-list consists of other group names or tuples of specific data. Each entry in the member-list is separated by a whitespace.

Tuples#

As LDAP implementation Netgroup can be used for all host within an entire enterprise, the configuration of Netgroups in LDAP is a little different. The configuration use a tuple containing specific data in this form:

(hostname, username, domain name)

hostname is the name of the machine for which that entry is valid
username is the login of the person being referenced
domain name is the NIS domain name. Any entry left blank is considered a wildcard

Some Examples#

or example,

(technics,,)

implies everybody on the host technics.

An entry with a dash in it (-) means that there are no valid values for that entry. For example,

(-,sshah,)

Here we imply the user sshah and nothing else. This is useful for generating a list of users or machine names for use in other netgroups. NOTE: We recommend that the format to be used is:

(,sshah,)

We have seen some implementations that do not like the use of the "-" for none.

Referencing Netgroups#

In files where netgroups are supported (such as /etc/passwd), you reference them by placing an @ sign in front of them. If you want to give the netgroup sysadmins consisting of

(,sshah,) (,heidis,)

permission to log in to a server, you add this line to your /etc/passwd file:

+@sysadmins

An example of a full netgroups file follows:

sysadmins    (,sshah,) (,heidis,) (,jnguyen,) (,mpham,)
servers      (numark,,) (vestax,,)
clients      (denon,,) (technics,,) (mtx,,)
research-1   (,boson,) (,jyom,) (,weals,) (,jaffe,)
research-2   (,sangeet,) (,mona,) (,paresh,) (,manjari,) (,jagdish,)
consultants  (,arturo,)
allusers       sysadmins research-1 research-2 consultants
allhosts       servers clients

System Access Control using LDAP backed NIS Netgroups #

Now that we know what Netgroups are, we can find out how to do System Access Control using LDAP backed NIS Netgroups.

More Information#

There might be more information for this subject on one of the following: