• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

netgroup using LDAP in FreeBSD11.1

zjlinickey

New Member


Messages: 4

#1
Hey all!

I am migrating NIS to LDAP, but netgroups don't seem to work as expected.

I am trying to installed nss-pam-ldapd on 11.1-RELEASE, and set up uri, base, TLS.
I use getent to get the map, passwd and group work ok, I can get data in LDAP, but
getent netgroup <name> doesn't return anything even if it is a valid name.
If I put a netgroup into /etc/netgroup, it will find that one group.

The enviroment is FreeBSD 11.1-RELEASE, OpenLDAP 2.4

My /etc/nsswitch.conf looks like this:
Code:
group: files ldap
hosts: files dns
networks: files ldap
netgroup: ldap
passwd: files ldap
shells: files
services: compat
services_compat: files
protocols: files
rpc: files
netgroup's schema in LDAP looks like this:
Code:
dn: cn=testNetgroup,ou=Netgroup,dc=mydomain,dc=com
objectClass: nisNetgroup
objectClass: top
cn: testNetgroup
nisNetgroupTriple: (,aaa,)
nisNetgroupTriple: (,bbb,)
nisNetgroupTriple: (,ccc,)
From what I have been able to read, it might be that netgroups are not really well supported by nsswitch.conf. Is that true?

Help will be greatly appreciated, as this could impact other ways I have always
used netgroups...


Thank you!
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,891
Best answers: 7
Messages: 26,510

#2
Never used netgroups with LDAP, I generally just use the PosixGroup for groups.
 

zjlinickey

New Member


Messages: 4

#3
Dear SirDice,

Thanks your reply!
Because our team have several machines, we need the feature of netgroup to control access.
e.g. master.passwd, sudoers file...
Just group may not support the feature.
Is any other solution can replace netgroup?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,891
Best answers: 7
Messages: 26,510

#4
Because our team have several machines, we need the feature of netgroup to control access.
e.g. master.passwd, sudoers file...
Am I understanding correctly that you don't want all users to be able to login on all machines? So you want to define a group of users that only has access to Server1 and another group that only has access to Server2 for example?

For sudo(8) it shouldn't be much of a problem, I've done things like that before, you just need to make clever use of the Host_alias.
 

zjlinickey

New Member


Messages: 4

#5
Am I understanding correctly that you don't want all users to be able to login on all machines? So you want to define a group of users that only has access to Server1 and another group that only has access to Server2 for example?

For sudo(8) it shouldn't be much of a problem, I've done things like that before, you just need to make clever use of the Host_alias.
YES, I want to do that!
Because there are many people in our team to maintain several systems, and the transfer of personnel is fast.
We want to find a simple method to manage the permission, like netgroup can be used in both login access and sudoers file.
 

M1cRO

New Member

Thanks: 2
Messages: 3

#6
Actually you can use netgroup in FreeBSD 11+(https://svnweb.freebsd.org/base?view=revision&revision=301711)
but you need: https://people.freebsd.org/~markj/patches/nss_ldap_netgroup.patch for net/nss_ldap
After that:
add: netgroup: ldap to /etc/nsswitch.conf
add: nss_base_netgroup ou=Netgroup,dc=mydomain,dc=com?sub to /usr/local/etc/nss_ldap.conf
and you will see:
getent netgroup testNetgroup
testNetgroup (,aaa,) (,bbb,) (,ccc,)


ps: I have netgroup on 10.2 but you need patching your libc:
https://people.freebsd.org/~markj/patches/netgroup_nss.diff
https://people.freebsd.org/~markj/patches/netgroup_nss2.diff

ps2: sudo support netgroup without any patch all be fine ;) just do not forget build it with ldap support
 

zjlinickey

New Member


Messages: 4

#7
Actually you can use netgroup in FreeBSD 11+(https://svnweb.freebsd.org/base?view=revision&revision=301711)
but you need: https://people.freebsd.org/~markj/patches/nss_ldap_netgroup.patch for net/nss_ldap
After that:
add: netgroup: ldap to /etc/nsswitch.conf
add: nss_base_netgroup ou=Netgroup,dc=mydomain,dc=com?sub to /usr/local/etc/nss_ldap.conf
and you will see:
getent netgroup testNetgroup
testNetgroup (,aaa,) (,bbb,) (,ccc,)


ps: I have netgroup on 10.2 but you need patching your libc:
https://people.freebsd.org/~markj/patches/netgroup_nss.diff
https://people.freebsd.org/~markj/patches/netgroup_nss2.diff

ps2: sudo support netgroup without any patch all be fine ;) just do not forget build it with ldap support
Thank for your help!
It works!!
I just patch net/nss_ldap, the other look like have patched in libc.
But there is another probelm:
e.g.
teamA (,Adam,) (,Mike,)
teamB (,Bob,) (,Alice,)
getent netgroup teamA
getent netgroup teamB
Works ok.

all-users teamA teamB
teamA (,Adam,) (,Mike,)
teamB (,Bob,) (,Alice,)
getent netgroup all-users
It returns nothing.
 

M1cRO

New Member

Thanks: 2
Messages: 3

#8
If you are trying use "memberNisNetgroup" it not implemented in nss_ldap, need do one more patch.
 
Top