Hi Rob,
Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem
to like the netgroup option:
-bash-3.2# getent netgroup test1
Unknown database: netgroup
usage: getent database [ key ... ]
-bash-3.2# uname -a
SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc
SUNW,SPARC-Enterprise-T5120
-bash-3.2# cat /etc/release
Solaris 10 10/09 s10s_u8wos_08a SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 16 September 2009
-bash-3.2#
Thanks!
Dan
-----Original Message-----
From: Rob Crittenden [mailto:[email protected]]
Sent: January 02, 2015 10:15 AM
To: Watson, Dan; [email protected]
Subject: Re: [Freeipa-users] Integration with Solaris 10
Watson, Dan wrote:
> Hi All,
>
> I've lurked in the list history and cannot find anyone saying they have
> gotten login restrictions working with Solaris 10 u8. Has anyone on here
> successfully configured login restrictions on Solaris 10 u8 through u11? I'm
> looking for specific instructions from someone who has gotten this to work
> before.
>
> The two main routes to login restrictions I could find online are Netgroups
> or conditional ldap queries in ldapclient
>
> I initially tried netgroups but wasn't sure how to trouble shoot when it
> didn't work. There don't seem to be any user-land tools to query netgroups
> and further investigation turned up an issue with OpenLDAP. It seems the
> built-in Solaris 10 ldap client expects schema RFC2307bis and not the
> OpenLDAP standard RFC2307 (explanation here
> http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does
> anyone know if this issue applies to IPA? Or how I check?
>
> The alternative of passing a restrictive query to ldapclient seems like a
> good route but doesn't seem to work. The common solution when using the old
> SunOne directory server was to pass the ldapclient (command line ldap
> configuration tool) an option like
> "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)"
> (from here https://community.oracle.com/thread/2014224?start=0&tstart=0)
> which is supposed to restrict account checking to only people in
> ou=people,p=myorg,c=de who are also members of
> cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work
> in IPA, first of all because there is no "isMemberof" attribute to a user,
> but also doesn't work on other attributes like uid or uidNumber. One possible
> explanation I've found is that these attributes are not indexed, but I have
> no idea if this is correct or how to add them to be indexed.
>
> Has anyone else solved this? I just need to be able to allow only a specific
> user group to log in to the host, unfortunately the ssh directive
> "AllowGroups" is not good enough, this has to be system wide as we also have
> samba and some other services that rely on system authentication.
>
> Can anyone be of some help?
>
> Thanks!
> Dan
>
You can use getent netgroup <name> to get a specific netgroup.
Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
