Client enablement for LDAP netgroups

You can use netgroups as part of NIS-LDAP (the name-resolution method).

1. Install and set up LDAP based user group management as detailed in ldap_client_setup.html.

   If the netgroup setup is not completed, any LDAP-defined user will be listed by the system. For example, if nguser is a netgroup user belonging to netgroup mygroup already defined in the LDAP server, lsuser -R LDAP nguser will list the user.

2. To enable the netgroup function, the module definition for LDAP in the /usr/lib/security/methods.cfg file needs to include an options attribute with a netgroup value. Edit the /usr/lib/security/methods.cfg file and add the line options = netgroup to the LDAP stanza. This marks the LDAP load module as a netgroup-capable load module. For example:

   LDAP:
         program = /usr/lib/security/LDAP
         program_64 =/usr/lib/security/LDAP64
         options = netgroup

   Now the commands lsuser -R LDAP nguser, or lsuser nguser or lsuser -R LDAP -a ALL do not list any users. LDAP is now considered a netgroup-only database from this client and no netgroups have been enabled for access to this client yet.
3. Edit the /etc/passwd file, and append a line for the netgroup that should have access to the system. For example if mygroup is a netgroup on the LDAP server that contains the desired user, append the following:

   +@mygroup

4. Edit the /etc/group file and append a +: line to enable NIS lookups for groups:

   +:

   Running the command lsuser nguser now returns the user because nguser is in the netgroup mygroup.

   The lsuser -R LDAP nguser command does not find the user, but the command lsuser -R compat nguser does because the user is considered a compat user now.

5. In order for netgroup users to authenticate to the system, the AIX® authentication mechanism must know the method to use. If the default stanza in the /etc/security/user file includes SYSTEM = compat, then all netgroup users in the netgroup added to the /etc/passwd file can authenticate. Another option would be to individually configure users by manually adding stanzas to the /etc/security/user file for the desired users. An example stanza for nguser is:

   nguser: 
           SYSTEM = compat
           registry = compat

   Netgroup users in the allowed netgroups can now authenticate to the system.

   Enabling the netgroup feature also activates the following conditions:

   • Users defined in the /etc/security/user file as members of the LDAP registry (having registry=LDAP and SYSTEM="LDAP") cannot authenticate as LDAP users. These users are now nis_ldap users and require native NIS netgroup membership.
   • The meaning of registry compat is expanded to include modules that use netgroup. For example, if LDAP module is netgroup enabled, compat includes the files, NIS, and LDAP registries. Users retrieved from those modules have a registry value of compat.