Skip to Main Content

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Hostname netgroup triple not working

807573May 13 2007 — edited May 15 2007
Hi folks,

I am almost complete in setting up LDAP (the Sun Directory Server Enterprise Edition version) in my Solaris 10 environment as the centralised authentication method across my platform.

We have uids and groups working, but are currently struggling with netgroups (to limit access for certain users to certain machines).

When we implement a netgroup called duck-ng, and set up a netgroup triple, we see the unusual behaviour - the hostname value seems to be ignored.

CONFIG:

Assuming that my ldap client config file states:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap.example.com
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=Groups,dc=example,dc=com


Assuming my client nsswitch.conf file states:
passwd: compat
group: files ldap
shadow: files ldap
passwd_compat: files ldap
hosts: files dns
netgroup: ldap

(everything else is files)

My /etc/passwd file contains:
+@duck-ng:x:::::
-:x:::::


My /etc/shadow file contains:
+@duck-ng::::::::
-::::::::


I have a user called "daffy", configured as:
dn: cn=Daffy Duck,ou=People,dc=example,dc=com
cn: Daffy Duck
gidnumber: 6000
homedirectory: /export/home/daffy
loginshell: /usr/bin/bash
objectclass: top
objectclass: shadowAccount
objectclass: person
objectclass: posixAccount
sn: Duck
uid: dduck
uidnumber: 1500
userpassword: {crypt}<.............>


And I have a group of "duck", configured:
dn: cn=duck,ou=Groups,dc=example,dc=com
cn: duck
description: The duck group
gidnumber: 6000
objectclass: top
objectclass: posixGroup


And my NIS netgroup "duck-ng" is configured:
dn: cn=duck-ng,ou=Groups,dc=example,dc=com
cn: duck-ng
cn: duck-ng,ou=Groups,dc=example,dc=com
description: Duck Netgroup
objectclass: top
objectclass: nisNetgroup


Now, if I want to control access to the hostname "goofy", then I want to configure a nisNetgroupTriple value in the duck-ng netgroup.

I have tried the following:

(,daffy,) - The user can log in to any LDAP client which uses this LDAP server
(,daffy,example.com) - As above
(goofy,daffy,example.com) - As above - INCLUDING machines other than "goofy"
(goofy,daffy,) - As above - INCLUDING machines other than "goofy"
(goofy,daffy,test.example.com) - User cannot log into to anything that uses the LDAP server - other properly configured triples can.
(,daffy,test.example.com) - Exactly as above
(goofy,daffy-test,example.com) - User daffy cannot log into anything that uses the LDAP server - other properly configured triples can.
(,daffy-test,example.com) - Exactly as above
(goofy,,) - User daffy cannot log in

I'm really confused as to what's happening here - it looks like the hostname field is being ignored.

What we need to do is have LDAP configured so that daffy user can access goofy server, and anyone else we configure in a similar way in the netgroup can access the goofy server, etc.

Message was edited by:
Dougiesic
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jun 12 2007
Added on May 13 2007
5 comments
565 views