# netgroup using LDAP in FreeBSD11.1



## zjlinickey (Feb 6, 2018)

Hey all!

I am migrating NIS to LDAP, but netgroups don't seem to work as expected.

I am trying to installed nss-pam-ldapd on 11.1-RELEASE, and set up uri, base, TLS.
I use getent to get the map, passwd and group work ok, I can get data in LDAP, but
getent netgroup <name> doesn't return anything even if it is a valid name.
If I put a netgroup into /etc/netgroup, it will find that one group.

The enviroment is FreeBSD 11.1-RELEASE, OpenLDAP 2.4

My /etc/nsswitch.conf looks like this:

```
group: files ldap
hosts: files dns
networks: files ldap
netgroup: ldap
passwd: files ldap
shells: files
services: compat
services_compat: files
protocols: files
rpc: files
```

netgroup's schema in LDAP looks like this:

```
dn: cn=testNetgroup,ou=Netgroup,dc=mydomain,dc=com
objectClass: nisNetgroup
objectClass: top
cn: testNetgroup
nisNetgroupTriple: (,aaa,)
nisNetgroupTriple: (,bbb,)
nisNetgroupTriple: (,ccc,)
```

From what I have been able to read, it might be that netgroups are not really well supported by nsswitch.conf. Is that true?

Help will be greatly appreciated, as this could impact other ways I have always
used netgroups...


Thank you!


----------



## SirDice (Feb 7, 2018)

Never used netgroups with LDAP, I generally just use the PosixGroup for groups.


----------



## zjlinickey (Feb 7, 2018)

Dear SirDice,

Thanks your reply!
Because our team have several machines, we need the feature of netgroup to control access.
e.g. master.passwd, sudoers file...
Just group may not support the feature.
Is any other solution can replace netgroup?


----------



## SirDice (Feb 7, 2018)

zjlinickey said:


> Because our team have several machines, we need the feature of netgroup to control access.
> e.g. master.passwd, sudoers file...


Am I understanding correctly that you don't want all users to be able to login on all machines? So you want to define a group of users that only has access to Server1 and another group that only has access to Server2 for example? 

For sudo(8) it shouldn't be much of a problem, I've done things like that before, you just need to make clever use of the Host_alias.


----------



## zjlinickey (Feb 7, 2018)

SirDice said:


> Am I understanding correctly that you don't want all users to be able to login on all machines? So you want to define a group of users that only has access to Server1 and another group that only has access to Server2 for example?
> 
> For sudo(8) it shouldn't be much of a problem, I've done things like that before, you just need to make clever use of the Host_alias.



YES, I want to do that!
Because there are many people in our team to maintain several systems, and the transfer of personnel is fast.
We want to find a simple method to manage the permission, like netgroup can be used in both login access and sudoers file.


----------



## M1cRO (Feb 8, 2018)

Actually you can use netgroup in FreeBSD 11+(https://svnweb.freebsd.org/base?view=revision&revision=301711)
but you need: https://people.freebsd.org/~markj/patches/nss_ldap_netgroup.patch for net/nss_ldap
After that:
add: *netgroup: ldap* to /etc/nsswitch.conf
add: *nss_base_netgroup ou=Netgroup,dc=mydomain,dc=com?sub* to /usr/local/etc/nss_ldap.conf
and you will see:
`getent netgroup testNetgroup
testNetgroup (,aaa,) (,bbb,) (,ccc,)`

ps: I have netgroup on 10.2 but you need patching your libc:
https://people.freebsd.org/~markj/patches/netgroup_nss.diff
https://people.freebsd.org/~markj/patches/netgroup_nss2.diff

ps2: sudo support netgroup without any patch all be fine  just do not forget build it with ldap support


----------



## zjlinickey (Feb 9, 2018)

M1cRO said:


> Actually you can use netgroup in FreeBSD 11+(https://svnweb.freebsd.org/base?view=revision&revision=301711)
> but you need: https://people.freebsd.org/~markj/patches/nss_ldap_netgroup.patch for net/nss_ldap
> After that:
> add: *netgroup: ldap* to /etc/nsswitch.conf
> ...



Thank for your help!
It works!!
I just patch net/nss_ldap, the other look like have patched in libc.
But there is another probelm:
e.g.
teamA (,Adam,) (,Mike,)
teamB (,Bob,) (,Alice,)
getent netgroup teamA
getent netgroup teamB
Works ok.

all-users  teamA teamB
teamA (,Adam,) (,Mike,)
teamB (,Bob,) (,Alice,)
getent netgroup all-users
It returns nothing.


----------



## M1cRO (Feb 9, 2018)

If you are trying use "memberNisNetgroup" it not implemented in nss_ldap, need do one more patch.


----------

