Re: Groups per host, same User pool

[Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>]

On 13/07/14 05:03, Mladen Sekara wrote:
> Just out of curiosity, is there a way to have host,group,users defined
> in ldap, so each host uses the same base dn, but depending on host/group
> in ldap, only groups that are assign to that host will be available?

Use netgroups if feasible, that's roughly what you are describing.
Object class nisNetgroup in nis.schema (RFC2307).  Membership is
resolved on the client side instead of with ACLs in the server.

They can be annoying to use, though:

The syntax is idiotic, it doesn't accept e.g underscore (_) in user
names.  You can replace nis.schema with a non-standard schema
"rfc2307bis" if you need to get around that.  That schema also has
other changes like making posixGroup auxiliary, so you will need to
add a structural objectclass to your posixGroup objects.

You cannot search for netgroup membership in LDAP, only read a group
and then scan its member list.  Which is recursive - netgroups can
have netgroups for members.  Hopefully you can leave that to your OS -
nss_ldap and the like - instead of coding it yourself.

Beware that the RFC2307 examples do not match its syntax definition.
I think the the syntax (section 2.4) is correct, it says you use
  nisNetgroupTriple: (host,user,domain)
where each component can be empty.  But the example in appendix A uses
  nisNetgroupTriple: (user,host,domain)

--
Hallvard