Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Modeling NIS netgroup?

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Modeling NIS netgroup?

Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: Tom Poage <>, "" <>
  • Subject: RE: [grouper-users] Modeling NIS netgroup?
  • Date: Wed, 28 Dec 2016 16:50:55 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:30O5Zx10f2Usj1HOsmDT+DRfVm0co7zxezQtwd8ZseMRK/ad9pjvdHbS+e9qxAeQG96Kt7Qc0aGH6ujJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMizexe69+IAu5oQjVq8UdnJdvJLs2xhbVuHVDZv5YxXlvJVKdnhb84tm/8Zt++ClOuPwv6tBNX7zic6s3UbJXAjImM3so5MLwrhnMURGP5noHXWoIlBdDHhXI4wv7Xpf1tSv6q/Z91SyHNsD4Ubw4RTKv5LpwRRT2lCkIKSI28GDPisxxkq1bpg6hpwdiyILQeY2ZKeZycr/Ycd4cWGFPXNteVzZZD428cYUBEvYBM+hboYnzpVQOrAexCwajC+701j9In2P60bEm3+g9Dw3L2hErEdIUsHTTqdX4LKkeX+K1zajJ0zrDdeta0irj5YjIaBAhoOqMUbxtesfWzEkgCwPFj1WRqIP7JTOYzeUNs3OH4OZ6SOKvk3Aoqwd3ojS12Mgjl5TJi5sTx1vZ9it52J44KcOiR0JnfNKpFYZcuzyHO4ZzTMMvTH1ktDo/x7AEp5G2czYGxZEiyhLBd/CKfZCE7g/tWeqNOzt1gG9pdKihixqv9UWs0PDwW8u13VtMsyFLiMPDtmoX2BzW8sWHSuVy/kOm2TuXzw7e9uZKLVwpmabCNpMuwKA8moMUsUvYACD6gkL2jLKKdko//eio9uLnbaj8qp+ELY90jR3+PboylcyjAOQ4NQ4OU3Kc+eShyL3j+Ur5QLJJjvEsjqbZt5XaKdwapq6/HQBVzp4u5wilADu6zdgVmGQLIE9YdB+CgYjkNE3CLOz9APq9nVuhnylnyvXDM7H/HpnAIGDPkLL7crZ8705cxhAzzdda559MD7EOPPLzW0/wtdPGFB80KA20w/37B9lny4MeQXyAAqmfMK/Ir1CH+/8vL/GWZIAJoDb9N+Ql5/n2gH82g18derSp3YMJZ3CiB/hmPl6ZbmT2gtcaCmoKugs+TPf2iF2ZTzJffXeyX6Qg5j4lEoKmC5nMRpyzjLCbwii0A4BWNSh6DQWwFnKgT4KNVPpEPD6cOshonTEsSLOtQpEgzlejuBKsj/ItIfDT5zUVr9f+z9Vv/MXSkw0/7zp5E57b3m2QBSkgkXkPWic7xuViukFn0X+C17R1mfpVCYYV6v9UBFQUL5nZmqZaGsL/QEaJVdeTSU3sCoGjCjEgXN8r694VaABgA9ikiFbO0zf8UOxdrKCCGJFhqvGU5HP2Pcsoji+ejKQ=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

You could model this in grouper permissions.

The people would be groups.
The servers would be resources (and can be hierarchical).
Do something with actions? Maybe the group name is the action? Or maybe
just use "assign"?

To get them into LDAP maybe have a loader job that reads the permissions and
sets up groups for you (then the pspng will take it from there). This could
run hourly or however often.

This would be pretty straightforward to setup if you need help let me know.


-----Original Message-----

On Behalf Of Tom Poage
Sent: Tuesday, December 27, 2016 4:45 PM

Subject: Re: [grouper-users] Modeling NIS netgroup?

Hi, Michael.

That'd be close.

Something tells me to add one level of indirection, though that may be
because I don't completely understand Grouper capabilities yet.

E.g. let's say I want to restrict ssh access to SIS servers to the set of
sysadmins. Somewhere in there I might want to model a group containing the
pool of servers which come and go over time, and another group of individuals
belonging to the sysadmin group, likewise who come and go.

Maybe the simple thing to do is forget the servers and simply push (CFEngine,
Puppet, ...) the "plussed" NIS group to /etc/password on subject servers with


making 'sysadmin' membership dynamic (say, Grouper-fed LDAP), and leave it at
that. Not pretty, but perhaps functional.


> On Dec 27, 2016, at 1:02 PM, Michael R. Gettes
> <>
> wrote:
> Hi Tom,
> Would the name of the group having the hostname and the group itself being
> the population do the trick?
> or something else to your liking? The resulting
> group could, of course, be the by product of other reference groups and
> include/exclude compositing to support allow/deny scenarios.
> /mrg
>> On Dec 27, 2016, at 11:22, Tom Poage
>> <>
>> wrote:
>> Morning,
>> Grouper newbie.
>> Anyone gone to the effort of modeling NIS netgroups in Grouper? I.e.
>> name (user,machine,domain) (user,machine,domain) ...
>> I think we could do without the domain, so it'd basically be the
>> intersection of groups of machines and groups of users.
>> If so, what did the model look like, and did you build an adapter to
>> create the NIS map directly, or e.g. push to LDAP?
>> Of course, there are several other ways to accomplish authZ for shell
>> access, such as SSSD w/ PAM, ....
>> Thanks.
>> Tom.

Archive powered by MHonArc 2.6.19.

Top of Page