[Freeipa-users] Netgroups and users
Sigbjorn Lie
sigbjorn at nixtra.com
Tue Dec 13 22:03:00 UTC 2011
On 12/13/2011 10:50 PM, Sigbjorn Lie wrote:
> Hi,
>
> When adding users or user groups to a netgroup, the format of the
> netgrouptriple ends up as following:
>
> nisNetgroupTriple: (-,username,ix.test.com)
>
> The extra "-" prevents me from using IPA's netgroups for tcp wrappers
> using /etc/hosts.allow and /etc/hosts.deny for user access control.
>
> Making the same test with a NIS server, creating the same entry
> without the "-", works for user access control.
>
> Looking at 389-ds' wiki, the "-" should not be there:
> http://directory.fedoraproject.org/wiki/Howto:Netgroups
>
> Is this a configurable setting? Or should I open a ticket?
>
>
To answer myself, yes this is configurable.
There is an attribute under "cn=ng,cn=Schema
Compatibility,cn=plugins,cn=config", named
"schema-compat-entry-attribute". Changing this attribute from:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})
To:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})
Make the netgroup return correctly, and user-based hosts.allow and
hosts.deny works just fine! The entires now look like:
nisNetgroupTriple: (,username,ix.test.com)
This allows me to use the same user group for access to services at Red
Hat servers using SSSD/HBAC, and services at Solaris servers using tcp
wrappers. SSH in Solaris comes with TCP wrappers built in, so no extra
configuration is required. :)
Ticket opened:
https://bugzilla.redhat.com/show_bug.cgi?id=767372
More information about the Freeipa-users
mailing list