[Freeipa-devel] [PATCH] 487 fix netgroup plugin

Thu Jul 15 13:15:09 UTC 2010

Adam Young wrote:
> On 07/14/2010 07:52 PM, Dmitri Pal wrote:
>> Adam Young wrote:
>>> On 07/14/2010 03:43 PM, Rob Crittenden wrote:
>>>> The netgroup plugin was using the wrong attribute for memberships. It
>>>> needs to use memberuser for users and groups and memberhost for hosts
>>>> and hostgroups. I fixed this up and corrected the tests as well.
>>>>
>>>> rob
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>
>>>
>>> Got it installed and running. Unclear how to test.
>>
>> Create a user group with 3 users U1 U2 U3. Create a host group with the
>> two hosts H 1 H2
>> Create a netgroup that includes this user group and this host group
>> Configure client to use your IPA server as a source of the netgroups
>> Lits the netgoups - should get your netgroup
>> List the contents of the netgroup. You should get triplets: user, host,
>> domain
>> The order of the users and hosts in triplets does not matter. What
>> matters is that each host and each user are listed in some triplet and
>> generally present in the netgroup not more than once.
>>
>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
>
>
> Here's my script. ypcat stopped working with
>
> No such map netgroup. Reason: Can't communicate with portmapper
>
> Too tired to debug tonight/
>
> ipa user-add --first=Kermit --last=Frog kfrog
> ipa user-add --first=Count --last=VonCount count123
> ipa user-add --first=Oscar --last=Grouch scram
>
> ipa user-add --first=Elmo --last=Gonzales elmo
> ipa user-add --first=Zoe --last=MacPhearson zoe
> ipa user-add --first=Prairie --last=Dawn pdawn
>
>
> ipa group-add --desc="Monsters on Sesame Street" monsters
> ipa group-add --desc="Muppets moonlighting for CTW" muppets
>
> ipa group-add-member --users=kfrog,scram,pdawn muppets
> ipa group-add-member --users=count123,elmo,zoe monsters
>
> ipa netgroup-add --desc="staging servers" net-stage
> ipa netgroup-add --desc="live servers" net-live
>
> ipa hostgroup-add --desc "Live servers" host-live
> ipa hostgroup-add --desc "Staging servers" stage-live
>
>
> ipa hostgroup-add-member --hosts
> live3.pbs.org,live2.pbs.org,live1.pbs.org host-live
> ipa hostgroup-add-member --hosts
> stage3.pbs.org,stage2.pbs.org,stage1.pbs.org host-stage
>
>
> ipa netgroup-add-member --groups=muppets --hostgroups=host-live net-live
> ipa netgroup-add-member --groups=muppets --hostgroups=host-stage net-stage
>
>
>
> ypcat -d ipa.ayoung.boston.devel.redhat.com -h
> ipa.ayoung.boston.devel.redhat.com netgroup
>

Ok, kudos on the big test group but your knowledge of Sesame Street 
characters last names is a bit disturbing ;-)

Your ypcat command is wrong. The -d is your NIS domain (same as your IPA 
domain) and the -h is the host to connect to.

I get the following output with this data set:

(-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com)
(-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com)

Based on my limited understanding of netgroups this looks correct. You 
have defined two netgroups, both of which have the same user group as a 
member. The first netgroup has no hosts or hostgroups associated with 
it, the second has an empty hostgroup (because you added non-existent 
hosts, or at least hosts not on my box).

I added a host to host-live and now I get:

(-,kfrog,example.com) (-,scram,example.com) (-,pdawn,example.com)
(lion.example.com,kfrog,example.com) (-,scram,example.com) 
(-,pdawn,example.com)

rob