Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Modeling NIS netgroup?

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Modeling NIS netgroup?

Chronological Thread 
  • From: Tom Poage <>
  • To: "" <>
  • Subject: Re: [grouper-users] Modeling NIS netgroup?
  • Date: Wed, 28 Dec 2016 22:22:31 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:Kw0nKRW6/z6fWb7hzvlxZYp4YzXV8LGtZVwlr6E/grcLSJyIuqrYbBWEt8tkgFKBZ4jH8fUM07OQ6PG8HzRaqs/c7zgrS99lb1c9k8IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBoKevrB4Xck9q41/yo+53Ufg5EmCexbal8IRiyogjdrNUajZVtJqosyhbEoGZDdvhLy29vOV+dhQv36N2q/J5k/SRQuvYh+NBFXK7nYak2TqFWASo/PWwt68LlqRfMTQ2U5nsBSWoWiQZHAxLE7B7hQJj8tDbxu/dn1ymbOc32Sq00WSin4qx2RhLklDsLOjgk+2zRl8d+jr9UoAi5qhJ/3YDafZ2VOvR9cKPTf9wUQmtBUdpeWSNOGY68c5IPD+8dMeZYs4XxuV0Dpga+Cwm2A+PvzydFiGHx3a0/zu8vCwbG0xYvH90QrX/Zq8n1NKkKUeCy1qbIwivMYuhL2Tjh9YfHaA4hofCXXb5qb8Xe1FQvGhrDg16NqoLlJyuY2vkTv2WY9eZsSPyjh3I9pwx/vDSj3NkghpTKi44N11zI6yZ0zJwoKdGmVEJ3e8OoHZlKuy2HOYZ7TNsuT3xptSs+0LEKp562cScQxJkl3RLTduKLf5aO7xn+TuieOy14i2hgeL+nhxa970ygyurkW8mv1VZKsjJFnsTWunAQyxPc99KISuV8/ke6wzqAyR3c6vxcLUA1k6rUNYIhz6YtmpYNsknPBDL6lFvqgKOMeEgo5PKk5/r6brjlvpOcMpV7igD6MqQggMy/BuE4PxASX2iV4eS806fs/ULnT7hRk/05jrTWv4rEJcQava61GRFa3Zs+6xqnFTepzMwYnWUbLFJCYB+HgJLpO1bTIPDgE/i/mU2gkCpwx//YJL3hGY7ALnzCkLf6YbZ98FBQxBAyzdBZ+5JbFKsBIPTtVU/tqtDUFAE2PBGpw7WvNNIonIwEXn+XD7XcLbjfq0Sg5+QzLvOKaZNP/jvxNrJts/H0imIhlEVYYLKkx4A/aXakE+5gLlnDJ3fgn4FSP30Nu18CS+misFqLXjMbM2q8R6U16TwTFYmqBJnCXcagjKHXj3TzJYFfem0TUgPEKnzvbYjRA/o=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Thank you Chris and Tom B.

Your ideas and comments have given me plenty to think about, and what I might
focus on initially.

Still absorbing (videos, docs, ...),

> On Dec 28, 2016, at 9:21 AM, Tom Barton
> <>
> wrote:
> Hi Tom P,
> Our design at UChicago for managing privileged access to systems uses a
> combination of several things, and I wondered if it might help you to think
> about the role grouper should play in that.
> Grouper groups that contain system or application admins are managed by
> each team's supervisor/lead. These groups are used to limit user access
> either to a bastion host or "jump server" with local config that limits to
> which servers it can connect, or to an admin vpn on which a policy
> similarly limits the set of servers that users in each group can connect
> to. Either way, as the server populations change some firewall-ish changes
> are made on these privileged access devices, and as the sys/app admin
> population changes the grouper groups are updated. This approach also has
> some other benefits such as enforcing 2FA and closer monitoring and other
> security measures for privileged access to systems.
> Tom B
> On 12/28/2016 10:50 AM, Hyzer, Chris wrote:
>> You could model this in grouper permissions.
>> The people would be groups.
>> The servers would be resources (and can be hierarchical).
>> Do something with actions? Maybe the group name is the action? Or maybe
>> just use "assign"?
>> To get them into LDAP maybe have a loader job that reads the permissions
>> and sets up groups for you (then the pspng will take it from there). This
>> could run hourly or however often.
>> This would be pretty straightforward to setup if you need help let me know.
>> Thanks
>> Chris
>> -----Original Message-----
>> From:
>> [mailto:]
>> On Behalf Of Tom Poage
>> Sent: Tuesday, December 27, 2016 4:45 PM
>> To:
>> Subject: Re: [grouper-users] Modeling NIS netgroup?
>> Hi, Michael.
>> That'd be close.
>> Something tells me to add one level of indirection, though that may be
>> because I don't completely understand Grouper capabilities yet.
>> E.g. let's say I want to restrict ssh access to SIS servers to the set of
>> sysadmins. Somewhere in there I might want to model a group containing the
>> pool of servers which come and go over time, and another group of
>> individuals belonging to the sysadmin group, likewise who come and go.
>> Maybe the simple thing to do is forget the servers and simply push
>> (CFEngine, Puppet, ...) the "plussed" NIS group to /etc/password on
>> subject servers with e.g.
>> +@sysadmin::0:0:::
>> making 'sysadmin' membership dynamic (say, Grouper-fed LDAP), and leave it
>> at that. Not pretty, but perhaps functional.
>> Thanks.
>> Tom.
>>> On Dec 27, 2016, at 1:02 PM, Michael R. Gettes
>>> <>
>>> wrote:
>>> Hi Tom,
>>> Would the name of the group having the hostname and the group itself
>>> being the population do the trick?
>>> or something else to your liking? The
>>> resulting group could, of course, be the by product of other reference
>>> groups and include/exclude compositing to support allow/deny scenarios.
>>> /mrg
>>>> On Dec 27, 2016, at 11:22, Tom Poage
>>>> <>
>>>> wrote:
>>>> Morning,
>>>> Grouper newbie.
>>>> Anyone gone to the effort of modeling NIS netgroups in Grouper? I.e.
>>>> name (user,machine,domain) (user,machine,domain) ...
>>>> I think we could do without the domain, so it'd basically be the
>>>> intersection of groups of machines and groups of users.
>>>> If so, what did the model look like, and did you build an adapter to
>>>> create the NIS map directly, or e.g. push to LDAP?
>>>> Of course, there are several other ways to accomplish authZ for shell
>>>> access, such as SSSD w/ PAM, ....
>>>> Thanks.
>>>> Tom.

Archive powered by MHonArc 2.6.19.

Top of Page