Subject: Grouper Users - Open Discussion List
- From: Tom Barton <>
- Subject: Re: [grouper-users] Modeling NIS netgroup?
- Date: Wed, 28 Dec 2016 11:21:22 -0600
Hi Tom P,
Our design at UChicago for managing privileged access to systems uses a combination of several things, and I wondered if it might help you to think about the role grouper should play in that.
Grouper groups that contain system or application admins are managed by each team's supervisor/lead. These groups are used to limit user access either to a bastion host or "jump server" with local config that limits to which servers it can connect, or to an admin vpn on which a policy similarly limits the set of servers that users in each group can connect to. Either way, as the server populations change some firewall-ish changes are made on these privileged access devices, and as the sys/app admin population changes the grouper groups are updated. This approach also has some other benefits such as enforcing 2FA and closer monitoring and other security measures for privileged access to systems.
On 12/28/2016 10:50 AM, Hyzer, Chris wrote:
You could model this in grouper permissions.
The people would be groups.
The servers would be resources (and can be hierarchical).
Do something with actions? Maybe the group name is the action? Or maybe just use
To get them into LDAP maybe have a loader job that reads the permissions and
sets up groups for you (then the pspng will take it from there). This could
run hourly or however often.
This would be pretty straightforward to setup if you need help let me know.
On Behalf Of Tom Poage
Sent: Tuesday, December 27, 2016 4:45 PM
Subject: Re: [grouper-users] Modeling NIS netgroup?
That'd be close.
Something tells me to add one level of indirection, though that may be
because I don't completely understand Grouper capabilities yet.
E.g. let's say I want to restrict ssh access to SIS servers to the set of
sysadmins. Somewhere in there I might want to model a group containing the
pool of servers which come and go over time, and another group of individuals
belonging to the sysadmin group, likewise who come and go.
Maybe the simple thing to do is forget the servers and simply push (CFEngine, Puppet,
...) the "plussed" NIS group to /etc/password on subject servers with e.g.
making 'sysadmin' membership dynamic (say, Grouper-fed LDAP), and leave it at
that. Not pretty, but perhaps functional.
On Dec 27, 2016, at 1:02 PM, Michael R. Gettes
Would the name of the group having the hostname and the group itself being
the population do the trick?
App:Unix:Netgroup:x.y.edu or something else to your liking? The resulting
group could, of course, be the by product of other reference groups and
include/exclude compositing to support allow/deny scenarios.
On Dec 27, 2016, at 11:22, Tom Poage
Anyone gone to the effort of modeling NIS netgroups in Grouper? I.e.
name (user,machine,domain) (user,machine,domain) ...
I think we could do without the domain, so it'd basically be the intersection
of groups of machines and groups of users.
If so, what did the model look like, and did you build an adapter to create
the NIS map directly, or e.g. push to LDAP?
Of course, there are several other ways to accomplish authZ for shell access,
such as SSSD w/ PAM, ....
Description: S/MIME Cryptographic Signature
- [grouper-users] Modeling NIS netgroup?, Tom Poage, 12/27/2016
- Re: [grouper-users] Modeling NIS netgroup?, Tom Poage, 12/27/2016
- Re: [grouper-users] Modeling NIS netgroup?, Michael R. Gettes, 12/27/2016
Archive powered by MHonArc 2.6.19.