[Freeipa-users] Netgroups and users

[Sigbjorn Lie]

On 12/13/2011 10:50 PM, Sigbjorn Lie wrote:
> Hi,
>
> When adding users or user groups to a netgroup, the format of the 
> netgrouptriple ends up as following:
>
> nisNetgroupTriple: (-,username,ix.test.com)
>
> The extra "-" prevents me from using IPA's netgroups for tcp wrappers 
> using /etc/hosts.allow and /etc/hosts.deny for user access control.
>
> Making the same test with a NIS server, creating the same entry 
> without the "-", works for user access control.
>
> Looking at 389-ds' wiki, the "-" should not be there:
> http://directory.fedoraproject.org/wiki/Howto:Netgroups
>
> Is this a configurable setting? Or should I open a ticket?
>
>
To answer myself, yes this is configurable.

There is an attribute under "cn=ng,cn=Schema 
Compatibility,cn=plugins,cn=config", named 
"schema-compat-entry-attribute". Changing this attribute from:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})


To:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})

Make the netgroup return correctly, and user-based hosts.allow and 
hosts.deny works just fine! The entires now look like:
nisNetgroupTriple: (,username,ix.test.com)

This allows me to use the same user group for access to services at Red 
Hat servers using SSSD/HBAC, and services at Solaris servers using tcp 
wrappers. SSH in Solaris comes with TCP wrappers built in, so no extra 
configuration is required. :)


Ticket opened:
https://bugzilla.redhat.com/show_bug.cgi?id=767372