Client enablement for LDAP netgroups
You can use netgroups as part of NIS-LDAP (the name-resolution method).
Perform the following steps for client enablement for LDAP
netgroups:
- Install and set up LDAP based user group management as
detailed in ldap_client_setup.html.
If the netgroup setup is not completed, any LDAP-defined user will be listed by the system. For example, if nguser is a netgroup user belonging to netgroup mygroup already defined in the LDAP server,
lsuser -R LDAP nguser
will list the user. - To enable the netgroup function, the module definition
for LDAP in the /usr/lib/security/methods.cfg file needs to include an options attribute with a netgroup value.
Edit the /usr/lib/security/methods.cfg file and
add the line
options = netgroup
to the LDAP stanza. This marks the LDAP load module as a netgroup-capable load module. For example:LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 options = netgroup
Now the commandslsuser -R LDAP nguser
, orlsuser nguser
orlsuser -R LDAP -a ALL
do not list any users. LDAP is now considered a netgroup-only database from this client and no netgroups have been enabled for access to this client yet. - Edit the /etc/passwd file, and append
a line for the netgroup that should have access to the system. For
example if mygroup is a netgroup on the LDAP server that contains
the desired user, append the following:
+@mygroup
- Edit the /etc/group file and append
a
+:
line to enable NIS lookups for groups:+:
Running the commandlsuser nguser
now returns the user because nguser is in the netgroup mygroup.The
lsuser -R LDAP nguser
command does not find the user, but the commandlsuser -R compat nguser
does because the user is considered a compat user now. - In order for netgroup users to authenticate to the system,
the AIX® authentication
mechanism must know the method to use. If the default stanza in the /etc/security/user file includes
SYSTEM = compat
, then all netgroup users in the netgroup added to the /etc/passwd file can authenticate. Another option would be to individually configure users by manually adding stanzas to the /etc/security/user file for the desired users. An example stanza for nguser is:nguser: SYSTEM = compat registry = compat
Netgroup users in the allowed netgroups can now authenticate to the system.Enabling the netgroup feature also activates the following conditions:
- Users defined in the /etc/security/user file
as members of the LDAP registry (having
registry=LDAP
andSYSTEM="LDAP"
) cannot authenticate as LDAP users. These users are now nis_ldap users and require native NIS netgroup membership. - The meaning of registry compat is expanded to include modules that use netgroup. For example, if LDAP module is netgroup enabled, compat includes the files, NIS, and LDAP registries. Users retrieved from those modules have a registry value of compat.
- Users defined in the /etc/security/user file
as members of the LDAP registry (having
Related information
- The exports File for NFS document
- The .rhosts File Format for TCP/IP document
- The hosts.equiv File Format for TCP/IP document