Re: UNIX Authentication

From: Ian Clelland (
Date: 12/31/03

Date: Wed, 31 Dec 2003 13:29:35 -0800

On Mon, Dec 22, 2003 at 09:25:11AM -0700, Ben Nelson wrote:
> Gareth Bromley wrote:
> >- LDAP seems to be the preferred method ongoing for SUN, and does
> >everyting NIS/NIS+ does with SSL/TLS style encryption if required.
> I've thought of switching my environment over to LDAP, but I've been
> unable to find anything like NIS netgroups implemented with LDAP. Are
> you saying that there is some mechanism for this now?
> I'd love to switch over to LDAP, but I'm currently limiting access to
> certain classes of machines to certain classes of users....with NIS
> netgroup. I've heard of people using LDAP along side NIS (just to serve
> the netgroup map), but I'd rather have all the functionality in one system.

nss_ldap, from, does appear to support netgroups in LDAP --
There is a configuration directive for it, and the code to pull the
netgroup map from the directory exists, at least in the latest source
from the web site. I haven't tried it personally, so I can't say if it
works or not.

If the number of hosts is small enough, it is also possible to restrict
access using pam_ldap's "pam_check_host_attr" directive. You would have
to include a list of allowed hosts (or "*") for each user in the
directory, so it might not work very well if you have a large number of
machines in different groups, but it is sufficient for small networks.

Ian Clelland

Relevant Pages

  • Re: LDAP and netgroup.byhost / netgroup.byuser
    ... >> We make very heavy use of NIS in our current infrastructure and a lot of it ... I can't imagine having to manually manage netgroup, ... If I have LDAP and no NIS, ... to feed to revnetgroup, hence my dilemna. ...
  • Re: LDAP and netgroup.byhost / netgroup.byuser
    ... Kevin Collins wrote: ... > We make very heavy use of NIS in our current infrastructure and a lot of it ... I can't imagine having to manually manage netgroup, ... put these two maps in NIS, all the rest in LDAP, I am not sure though. ...
  • LDAP netgroups
    ... I have a Sun Directory server v5.2 configured as a naming service for my ... The sus_dba_admins would be an ldap netgroup containing nis triples or ... In this configuration, ...
  • Re: LDAP and netgroup
    ... In article, Kevin Collins wrote: ... Same thing when I try to use netgroup in a .rhosts file. ... >>| that have come up when migrating NIS to LDAP? ... >> under LDAP the choices are to license Sun's LDAP server or to tackle ...
  • Re: As promised, my Directory Server v5.2 / LDAP documentation is available
    ... >> you to control which systems ldap users can log into based on explicit ... > certain netgroup, you don't get on servers that authorize only that ... ldap server -- all the pam_netgroup stuff i've seen still requires you ... 5-10 where the access lists MUST be identical, so either you have to be ...