freeipa

Clone
Source Code
GIT

#2192 Netgroups compat plugin not reporting users correctly
Closed: Fixed None Opened 12 years ago by dpal.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=767372

On 12/13/2011 10:50 PM, Sigbjorn Lie wrote:
> Hi,
>
> When adding users or user groups to a netgroup, the format of the
netgrouptriple ends up as following:
>
> nisNetgroupTriple: (-,username,ix.test.com)
>
> The extra "-" prevents me from using IPA's netgroups for tcp wrappers using
/etc/hosts.allow and /etc/hosts.deny for user access control.
>
> Making the same test with a NIS server, creating the same entry without the
"-", works for user access control.
>
> Looking at 389-ds' wiki, the "-" should not be there:
> http://directory.fedoraproject.org/wiki/Howto:Netgroups
>
> Is this a configurable setting? Or should I open a ticket?
>
>
To answer myself, yes this is configurable.

There is an attribute under "cn=ng,cn=Schema
Compatibility,cn=plugins,cn=config", named "schema-compat-entry-attribute".
Changing this attribute from:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{
externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\
\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\
\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")"
,"-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"mem
berUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\
\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\
\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})


To:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{
externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\
\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\
\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")"
,"",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memb
erUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\
\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\
\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})

Make the netgroup return correctly, and user-based hosts.allow and hosts.deny
works just fine! The entires now look like:
nisNetgroupTriple: (,username,ix.test.com)

This allows me to use the same user group for access to services at Red Hat
servers using SSSD/HBAC, and services at Solaris servers using tcp wrappers.
SSH in Solaris comes with TCP wrappers built in, so no extra configuration is
required. :)

According to http://docs.oracle.com/cd/E19253-01/816-4558/adtable-10078/index.html a dash is a negative wildcard meaning there are no members allowed in the that type.

For example this has host1 in domain doc.com but no users:

(host1, -,doc.com.)

Moving to next month iteration.

BZ https://bugzilla.redhat.com/show_bug.cgi?id=809559 for slapi-nis is adding the ability to use an expression in PAD. We need this ability to determine host/usercat='all' to decide whether we should return '-' or * for padded elements.

For RHEL the new n-v-r for slapi-nis will need to be slapi-nis-0.40-1.el6

master: 7471ba2

ipa-2-2: d925eba

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=767372
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.