From 389 Directory Server
I would like to know if this is a bad way to handle nis groups. I read this documentation and implemented it, but i preferred the AIX way of handling nis groups with ldap. I went ahead and did the same with Linux/FC6 and RHEL4, and it worked. Here are the steps to reproduce what i have done.
Contents |
Prerequisites
The machine that you want to use netgroup should already be configured to talk to the ldap server. That is you should have /etc/ldap.conf setup and working. You should have a netgroup in your ldap server to test with as well. You should be able to run ldapsearch -x -h ds.example.com and see results. Change ds.expample.com to the dns name of your Directory Server.
Setting nsswitch.conf
edit /etc/nsswitch.conf with your favorite editor and change passwd, group and shadow to the following.
passwd: compat
shadow: compat
group: compat
Then below that add these entries.
passwd_compat: ldap
group_compat: ldap
shadow_compat: ldap
make sure netgroup is set to
netgroup: files ldap
or just
netgroup: ldap
Edit passwd/group files
Now open up /etc/passwd and add the following at the bottom of the file
+@System Test Group
Yes you can uses spaces in the netgroup name. I know i have read in other places that spaces may cause problems, this may be with pam, but using names with spaces is working for me. If however you did want to use the pam method in the future, you would need to change all your netgroup names, removing all white space, or use the listsep=separators option. I have not tested the listsep=separators option.
Now add a simple + at the end of /etc/group
torrent:x:101:
postdrop:x:90:
postfix:x:89:
+
Testing
Connect to you machine and see if it will let you in. Make sure that the person you are trying to connect with is in the netgroup. Once you can do that remove them from the group, or try a different user.
Warnings
- You cannot use the gui tools to remove the *compat* options, and to add them. You will need to edit the file and remove/add those items.
- I have read not to use more than one group in /etc/passwd. Being the person i am i tried using two to see what would happen and it worked. So please test this and report back.
