https://bugzilla.redhat.com/show_bug.cgi?id=767372
On 12/13/2011 10:50 PM, Sigbjorn Lie wrote: > Hi, > > When adding users or user groups to a netgroup, the format of the netgrouptriple ends up as following: > > nisNetgroupTriple: (-,username,ix.test.com) > > The extra "-" prevents me from using IPA's netgroups for tcp wrappers using /etc/hosts.allow and /etc/hosts.deny for user access control. > > Making the same test with a NIS server, creating the same entry without the "-", works for user access control. > > Looking at 389-ds' wiki, the "-" should not be there: > http://directory.fedoraproject.org/wiki/Howto:Netgroups > > Is this a configurable setting? Or should I open a ticket? > > To answer myself, yes this is configurable. There is an attribute under "cn=ng,cn=Schema Compatibility,cn=plugins,cn=config", named "schema-compat-entry-attribute". Changing this attribute from: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{ externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\ \",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\ \\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")" ,"-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"mem berUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\ \\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\ \\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) To: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{ externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\ \",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\ \\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")" ,"",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memb erUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\ \\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\ \\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) Make the netgroup return correctly, and user-based hosts.allow and hosts.deny works just fine! The entires now look like: nisNetgroupTriple: (,username,ix.test.com) This allows me to use the same user group for access to services at Red Hat servers using SSSD/HBAC, and services at Solaris servers using tcp wrappers. SSH in Solaris comes with TCP wrappers built in, so no extra configuration is required. :)
According to http://docs.oracle.com/cd/E19253-01/816-4558/adtable-10078/index.html a dash is a negative wildcard meaning there are no members allowed in the that type.
For example this has host1 in domain doc.com but no users:
(host1, -,doc.com.)
Moving to next month iteration.
BZ https://bugzilla.redhat.com/show_bug.cgi?id=809559 for slapi-nis is adding the ability to use an expression in PAD. We need this ability to determine host/usercat='all' to decide whether we should return '-' or * for padded elements.
For RHEL the new n-v-r for slapi-nis will need to be slapi-nis-0.40-1.el6
attachment freeipa-rcrit-1003-netgroup.patch
master: 7471ba2
ipa-2-2: d925eba
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
Login to comment on this ticket.