[Freeipa-devel] [DOC] about netgroups

Dmitri Pal dpal at redhat.com
Tue Feb 23 15:54:23 UTC 2010 

Pavel Zůna wrote:
> I was asked to complete the documentation of IPA commands on the
> internal wiki. Unfortunatly, I currently don't have access to it and
> have decided to put some of the information I've been gathering here
> on freeipa-devel. It's not a secret after all and is easier to review
> by other team members. I'm going to put this on the wiki as soon as I
> can.
>

Try now...

> So, in the first (and possibly last) issue of CommandDocs(tm), we're
> going to look at netgroups and commands related to them.
>
> What are netgroups?
> ===================
> Netgroups are a concept introduced in the directory service NIS. They
> are supposed to contain users, hosts (machines) and other netgroups.
> Here are a few examples of why such groups can be useful:
>
> http://directory.fedoraproject.org/wiki/Howto:Netgroups#What_are_NIS_netgroups_good_for.3F
>
>
> Don't continue reading after the "What are NIS netgroups good for?"
> part. Netgroup entries are different in IPA.


Though they are different it is important to underline that there are
two plugins in IPA that make the data in the new format available via
NIS or old standard RFC2307/2307bis LDAP schema.  For details see the
documentation and examples here: https://fedorahosted.org/slapi-nis/
The entries stored using the new schema are converted into the standard
NIS netgroup map and served via the NIS protocol by the first plugin
described on the slapi-nis project page and the compatibility plugin can
be used to create a virtual LDAP view that matches the standard 2307 or
2307bis schema  for netgroups using the IPA specific schema.
I am not sure that we have it configured by default. This is something
that Nalin would be able to clarify. Nalin?
But anyways it is definitely possible to configure the compatibility
plugin to automatically translate the IPA netgroups schema  into schema
that standard nss_ldap client expects.
 
>
> Some more info about netgroups (optional reading; I'll explain most of
> the important stuff):
> http://www.softpanorama.org/Net/Application_layer/NIS/nis_netgroups.shtml
>
> How do we store netgroups in the IPA backend (LDAP)?
> ====================================================
> NIS groups traditionally contain a so called netgroup triple of the
> format:
>
> (machine, user, domain)
>
> machine - machine name, a host name
> user - user name
> domain - NIS domain of the machine and user
>
> Note that there is no necessary relationship between the machine and
> the user. Only one of those fields is usually used at a time to avoid
> confusion.
>
> In IPA, we don't use the triple anymore. It's ugly and unclear.
> Instead we use the membership relationship between LDAP entries. You
> simple add users, host and even their groups as members of a netgroup.
> The domain field is constant for each netgroup and defaults to the
> current IPA domain.
>
> Example of a netgroup displayed using the IPA CLI:
>
> # ipa netgroup-show net1
>   Netgroup name: net1
>   Description: test netgroup
>   NIS domain name: pzuna
>   Member User: admin
>   Member Host: testbox.pzuna
>
> What commands are available in IPA for handling netgroups?
> ==========================================================
> The management plugin for netgroups in IPA conforms to the CRUD
> command naming conventions used in all other plugins, that come with
> the default
> IPA installation.
>
> Creating new netgroups
> ----------------------
>  ipa netgroup-add NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN]
>
> NAME is the name of the netgroup (can be anything, but must be unique)
> DESCRIPTION is the netgroup description (required)
> NISDOMAIN is the NIS domain name, defaults to the current IPA domain
>
> Deleting netgroups
> ------------------
>  ipa netgroup-del NAME
>
> Displaying netgroups
> --------------------
>  ipa netgroup-show NAME
>
> Modifying netgroups
> -------------------
>  ipa netgroup-mod NAME [--desc=DESCRIPTION] [--nisdomain=NISDOMAIN]
>
> Same as `ipa netgroup-add`, except modifying description is required
> and NISDOMAIN doesn't default to anything.
>
> Searching for netgroups
> -----------------------
>  ipa netgroup-find [CRITERIA] [--name=NAME] [--desc=DESCRIPTION]
>                               [--nisdomain=NISDOMAIN] [--uuid=UUID]
>
> CRITERIA is an optional substring, that has to appear in either the
> name, the description or the NIS domain of the groups you're looking for
>
> Other options are the same as `ipa netgroup-add`, except nothing is
> required and doesn't default to anything. There's a new UUID option,
> that allows searching netgroups by ipaUniqueID. If one of these
> options is set, the command returns only exact matches of this option.
>
> Adding users and hosts to netgroups
> -----------------------------------
>  ipa netgroup-add-member NAME [--users=USERS] [--groups=GROUPS]
>                               [--hosts=HOSTS] [--hostgroups=HOSTGROUPS]
>                               [--netgroups=NETGROUPS]
>
> USERS,GROUPS,HOSTS,HOSTGROUPS,NETGROUPS are comma-separated lists of
> names of the appropriate objects.
>
> Removing users and hosts from netgroups
> ---------------------------------------
>  ipa netgroup-remove-member NAME [--users=USERS] [--groups=GROUPS]
>                                  [--hosts=HOSTS]
>                                  [--hostgroups=HOSTGROUPS]
>                                  [--netgroups=NETGROUPS]
>
> Same as `netgroup-add-member`.
>
> Examples
> --------
> # ipa netgroup-add net0 --desc="test netgroup"
>   Netgroup name: net0
>   Description: test netgroup
>   NIS domain name: pzuna
>   IPA unique ID: 9e6e089c-2089-11df-b677-5452004c033a
>
> # ipa netgroup-mod net0 --desc="description change"
>   Netgroup name: net0
>   Description: description change
>   NIS domain name: pzuna
>
> # ipa netgroup-add-member net0 --users=admin --hosts=testbox.pzuna
>   Netgroup name: net0
>   Description: description change
>   NIS domain name: pzuna
>   Member User: admin
>   Member Host: testbox.pzuna
> -------------------------
> Number of members added 2
> -------------------------
>
> # ipa netgroup-remove-member net0 --users=admin
>   Netgroup name: net0
>   Description: description change
>   NIS domain name: pzuna
>   Member Host: testbox.pzuna
> ---------------------------
> Number of members removed 1
> ---------------------------
>
> # ipa netgroup-del net0
>
> # ipa netgroup-show net0
> ipa: ERROR: no such entry
>
>
>
> Pavel
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list