Re: UNIX Authentication

From: Ian Clelland (
Date: 12/31/03

Date: Wed, 31 Dec 2003 13:29:35 -0800

On Mon, Dec 22, 2003 at 09:25:11AM -0700, Ben Nelson wrote:
> Gareth Bromley wrote:
> >- LDAP seems to be the preferred method ongoing for SUN, and does
> >everyting NIS/NIS+ does with SSL/TLS style encryption if required.
> I've thought of switching my environment over to LDAP, but I've been
> unable to find anything like NIS netgroups implemented with LDAP. Are
> you saying that there is some mechanism for this now?
> I'd love to switch over to LDAP, but I'm currently limiting access to
> certain classes of machines to certain classes of users....with NIS
> netgroup. I've heard of people using LDAP along side NIS (just to serve
> the netgroup map), but I'd rather have all the functionality in one system.

nss_ldap, from, does appear to support netgroups in LDAP --
There is a configuration directive for it, and the code to pull the
netgroup map from the directory exists, at least in the latest source
from the web site. I haven't tried it personally, so I can't say if it
works or not.

If the number of hosts is small enough, it is also possible to restrict
access using pam_ldap's "pam_check_host_attr" directive. You would have
to include a list of allowed hosts (or "*") for each user in the
directory, so it might not work very well if you have a large number of
machines in different groups, but it is sufficient for small networks.

Ian Clelland