grouper-users - Re: [grouper-users] Modeling NIS netgroup?
Subject: Grouper Users - Open Discussion List
List archive
- From: Tom Poage <>
- To: "" <>
- Subject: Re: [grouper-users] Modeling NIS netgroup?
- Date: Wed, 28 Dec 2016 22:22:31 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:Kw0nKRW6/z6fWb7hzvlxZYp4YzXV8LGtZVwlr6E/grcLSJyIuqrYbBWEt8tkgFKBZ4jH8fUM07OQ6PG8HzRaqs/c7zgrS99lb1c9k8IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBoKevrB4Xck9q41/yo+53Ufg5EmCexbal8IRiyogjdrNUajZVtJqosyhbEoGZDdvhLy29vOV+dhQv36N2q/J5k/SRQuvYh+NBFXK7nYak2TqFWASo/PWwt68LlqRfMTQ2U5nsBSWoWiQZHAxLE7B7hQJj8tDbxu/dn1ymbOc32Sq00WSin4qx2RhLklDsLOjgk+2zRl8d+jr9UoAi5qhJ/3YDafZ2VOvR9cKPTf9wUQmtBUdpeWSNOGY68c5IPD+8dMeZYs4XxuV0Dpga+Cwm2A+PvzydFiGHx3a0/zu8vCwbG0xYvH90QrX/Zq8n1NKkKUeCy1qbIwivMYuhL2Tjh9YfHaA4hofCXXb5qb8Xe1FQvGhrDg16NqoLlJyuY2vkTv2WY9eZsSPyjh3I9pwx/vDSj3NkghpTKi44N11zI6yZ0zJwoKdGmVEJ3e8OoHZlKuy2HOYZ7TNsuT3xptSs+0LEKp562cScQxJkl3RLTduKLf5aO7xn+TuieOy14i2hgeL+nhxa970ygyurkW8mv1VZKsjJFnsTWunAQyxPc99KISuV8/ke6wzqAyR3c6vxcLUA1k6rUNYIhz6YtmpYNsknPBDL6lFvqgKOMeEgo5PKk5/r6brjlvpOcMpV7igD6MqQggMy/BuE4PxASX2iV4eS806fs/ULnT7hRk/05jrTWv4rEJcQava61GRFa3Zs+6xqnFTepzMwYnWUbLFJCYB+HgJLpO1bTIPDgE/i/mU2gkCpwx//YJL3hGY7ALnzCkLf6YbZ98FBQxBAyzdBZ+5JbFKsBIPTtVU/tqtDUFAE2PBGpw7WvNNIonIwEXn+XD7XcLbjfq0Sg5+QzLvOKaZNP/jvxNrJts/H0imIhlEVYYLKkx4A/aXakE+5gLlnDJ3fgn4FSP30Nu18CS+misFqLXjMbM2q8R6U16TwTFYmqBJnCXcagjKHXj3TzJYFfem0TUgPEKnzvbYjRA/o=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Thank you Chris and Tom B.
Your ideas and comments have given me plenty to think about, and what I might
focus on initially.
Still absorbing (videos, docs, ...),
Tom.
> On Dec 28, 2016, at 9:21 AM, Tom Barton
> <>
> wrote:
>
> Hi Tom P,
>
> Our design at UChicago for managing privileged access to systems uses a
> combination of several things, and I wondered if it might help you to think
> about the role grouper should play in that.
>
> Grouper groups that contain system or application admins are managed by
> each team's supervisor/lead. These groups are used to limit user access
> either to a bastion host or "jump server" with local config that limits to
> which servers it can connect, or to an admin vpn on which a policy
> similarly limits the set of servers that users in each group can connect
> to. Either way, as the server populations change some firewall-ish changes
> are made on these privileged access devices, and as the sys/app admin
> population changes the grouper groups are updated. This approach also has
> some other benefits such as enforcing 2FA and closer monitoring and other
> security measures for privileged access to systems.
>
> Tom B
>
> On 12/28/2016 10:50 AM, Hyzer, Chris wrote:
>> You could model this in grouper permissions.
>>
>> The people would be groups.
>> The servers would be resources (and can be hierarchical).
>> Do something with actions? Maybe the group name is the action? Or maybe
>> just use "assign"?
>>
>> To get them into LDAP maybe have a loader job that reads the permissions
>> and sets up groups for you (then the pspng will take it from there). This
>> could run hourly or however often.
>>
>> This would be pretty straightforward to setup if you need help let me know.
>>
>> Thanks
>> Chris
>>
>> -----Original Message-----
>> From:
>>
>>
>> [mailto:]
>> On Behalf Of Tom Poage
>> Sent: Tuesday, December 27, 2016 4:45 PM
>> To:
>>
>> Subject: Re: [grouper-users] Modeling NIS netgroup?
>>
>> Hi, Michael.
>>
>> That'd be close.
>>
>> Something tells me to add one level of indirection, though that may be
>> because I don't completely understand Grouper capabilities yet.
>>
>> E.g. let's say I want to restrict ssh access to SIS servers to the set of
>> sysadmins. Somewhere in there I might want to model a group containing the
>> pool of servers which come and go over time, and another group of
>> individuals belonging to the sysadmin group, likewise who come and go.
>>
>> Maybe the simple thing to do is forget the servers and simply push
>> (CFEngine, Puppet, ...) the "plussed" NIS group to /etc/password on
>> subject servers with e.g.
>>
>> +@sysadmin::0:0:::
>>
>> making 'sysadmin' membership dynamic (say, Grouper-fed LDAP), and leave it
>> at that. Not pretty, but perhaps functional.
>>
>> Thanks.
>> Tom.
>>
>>> On Dec 27, 2016, at 1:02 PM, Michael R. Gettes
>>> <>
>>> wrote:
>>>
>>> Hi Tom,
>>>
>>> Would the name of the group having the hostname and the group itself
>>> being the population do the trick?
>>>
>>> App:Unix:Netgroup:x.y.edu or something else to your liking? The
>>> resulting group could, of course, be the by product of other reference
>>> groups and include/exclude compositing to support allow/deny scenarios.
>>>
>>> /mrg
>>>
>>>> On Dec 27, 2016, at 11:22, Tom Poage
>>>> <>
>>>> wrote:
>>>>
>>>> Morning,
>>>>
>>>> Grouper newbie.
>>>>
>>>> Anyone gone to the effort of modeling NIS netgroups in Grouper? I.e.
>>>>
>>>> name (user,machine,domain) (user,machine,domain) ...
>>>>
>>>> I think we could do without the domain, so it'd basically be the
>>>> intersection of groups of machines and groups of users.
>>>>
>>>> If so, what did the model look like, and did you build an adapter to
>>>> create the NIS map directly, or e.g. push to LDAP?
>>>>
>>>> Of course, there are several other ways to accomplish authZ for shell
>>>> access, such as SSSD w/ PAM, ....
>>>>
>>>> Thanks.
>>>> Tom.
>
>
- [grouper-users] Modeling NIS netgroup?, Tom Poage, 12/27/2016
- Re: [grouper-users] Modeling NIS netgroup?, Tom Poage, 12/27/2016
- Re: [grouper-users] Modeling NIS netgroup?, Michael R. Gettes, 12/27/2016
- Re: [grouper-users] Modeling NIS netgroup?, Tom Poage, 12/27/2016
- RE: [grouper-users] Modeling NIS netgroup?, Hyzer, Chris, 12/28/2016
- Re: [grouper-users] Modeling NIS netgroup?, Tom Barton, 12/28/2016
- Re: [grouper-users] Modeling NIS netgroup?, Tom Poage, 12/28/2016
- Re: [grouper-users] Modeling NIS netgroup?, Tom Barton, 12/28/2016
- RE: [grouper-users] Modeling NIS netgroup?, Hyzer, Chris, 12/28/2016
- Re: [grouper-users] Modeling NIS netgroup?, Tom Poage, 12/27/2016
Archive powered by MHonArc 2.6.19.