Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Modeling NIS netgroup?

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Modeling NIS netgroup?


Chronological Thread 
  • From: Tom Poage <>
  • To: "" <>
  • Subject: Re: [grouper-users] Modeling NIS netgroup?
  • Date: Tue, 27 Dec 2016 21:45:23 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:QJba1BYHMR+DGmsXQpnZGDb/LSx+4OfEezUN459isYplN5qZr825bnLW6fgltlLVR4KTs6sC0LuK9fi4EjVbuN6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCzbL52Ixi6txndutUZjYd/JKs91wbCr2dVdehR2W5mP0+YkQzm5se38p5j8iBQtOwk+sVdT6j0fLk2QKJBAjg+PG87+MPktR/YTQuS/XQcSXkZkgBJAwfe8h73WIr6vzbguep83CmaOtD2TawxVD+/4apnVAPkhSEaPDM/7WrZiNF/jLhDrRyhuRJx3pLUbo+WOvpwfKzTetIaSnZOUMleTCFBHpq8b44TA+oBIepUsY/wrEYOoxukAgmsAfvixCFPhn/zwKY0yeMhHhvJ3AM+AtkDt2jUrNvtNKcVS++1w7fHwC7eb/xKxDjy8pbIchE6of2WQ71/bNfRxFApGgjYjVuQsZToMy6L2ukOqWSX8vRsWf61h2MptQ19uCajytooh4XRm44Z1FPJ+T9kzIorOdG0UlN3bNy+HJdNuSyXOZN6Tt4jTmxsoio21L0LtJGhcCUI0pgr2QDTZvOBfoOV+BzsTvyRLi19hH99eLKwmRKy8U+4x+3nU8m0zE5KojRfntnRqn8Cygbc6taGSvtm5EuuxyuA1x3L5uFFJ0A7i7bbJoY8zrIulZcfq1nPEjHqlEnsgqKaaF8o9va15+njernmo4WTN45wigHwKKQuncm/DPwkMggAR2ib/v6z1LL98kDiXbVFkuA5nbPHsJDbPsQXvLC2DBJI0oo78RawEy+m0MgEnXkANF9FdwiHj4/0O1HWPv/4F+6zg0m3kDh13fDGJabsApHMLnjYjLfhZqhx51RdyAo10dBQ+YhUCrcfL/LvREP9rsLXAQIkM1/8/+GyQtpn0Z4GVHjKH7SUKrj6sFmU6/gpLvXWIoIZpXy1f/c/4OP2gGV8hEQQZ7KB3J0LZWq+E+g8ZUiVfCy/rM0GFDI2uQ92dOvjh1DKBSJdf3G7UK8U+zo3AZynFsHOSp370+/J5zuyApADPjMOMVuLC3q9L4g=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Hi, Michael.

That'd be close.

Something tells me to add one level of indirection, though that may be
because I don't completely understand Grouper capabilities yet.

E.g. let's say I want to restrict ssh access to SIS servers to the set of
sysadmins. Somewhere in there I might want to model a group containing the
pool of servers which come and go over time, and another group of individuals
belonging to the sysadmin group, likewise who come and go.

Maybe the simple thing to do is forget the servers and simply push (CFEngine,
Puppet, ...) the "plussed" NIS group to /etc/password on subject servers with
e.g.

+@sysadmin::0:0:::

making 'sysadmin' membership dynamic (say, Grouper-fed LDAP), and leave it at
that. Not pretty, but perhaps functional.

Thanks.
Tom.

> On Dec 27, 2016, at 1:02 PM, Michael R. Gettes
> <>
> wrote:
>
> Hi Tom,
>
> Would the name of the group having the hostname and the group itself being
> the population do the trick?
>
> App:Unix:Netgroup:x.y.edu or something else to your liking? The resulting
> group could, of course, be the by product of other reference groups and
> include/exclude compositing to support allow/deny scenarios.
>
> /mrg
>
>> On Dec 27, 2016, at 11:22, Tom Poage
>> <>
>> wrote:
>>
>> Morning,
>>
>> Grouper newbie.
>>
>> Anyone gone to the effort of modeling NIS netgroups in Grouper? I.e.
>>
>> name (user,machine,domain) (user,machine,domain) ...
>>
>> I think we could do without the domain, so it'd basically be the
>> intersection of groups of machines and groups of users.
>>
>> If so, what did the model look like, and did you build an adapter to
>> create the NIS map directly, or e.g. push to LDAP?
>>
>> Of course, there are several other ways to accomplish authZ for shell
>> access, such as SSSD w/ PAM, ....
>>
>> Thanks.
>> Tom.
>




Archive powered by MHonArc 2.6.19.

Top of Page