2007-12-29

LDAP netgroups in Leopard

Filed under: Geekiness — iain @ 11:43:42

It appears as though these don’t work.

Here’s a sample netgroup in LDAP.

    dn: cn=appliances,ou=netgroup,dc=iain,dc=cx
    objectClass: nisNetGroup
    cn: appliances
    nisNetgroupTriple: (accesspoint,,)
    nisNetgroupTriple: (router,,)
    nisNetgroupTriple: (wii,,)

And here’s a simple C program to enumerate hosts in a netgroup.

    #include 
    #include 
    #include 
    
    int main(int argc, char **argv) {
      char *group, *host, *hostp, *userp, *domainp;
    
      if (argc == 1) {
        fprintf(stderr, "Usage: netgroups <netgroup>\n");
        exit(1);
      }
      
      /* What group do we want? */
      group = argv[1];
      if (*group == '@') group++;
       
      setnetgrent(group);
      while (getnetgrent(&hostp, &userp, &domainp)) printf("%s\n", hostp);
      endnetgrent();
      
      exit(0);
    }

If I run this on Linux I get the expected result.

    $ netgroups appliances
    accesspoint
    router
    wii

The Mac has no DirectoryService mapping for netgroups by default so I added one with Directory Utility.app.

    NetGroups => nisNetgroup
        RecordName => cn

"But wait," I hear you cry, "how can it work with only the objectclass and cn defined? Surely you need to map something to nisNetgroupTriple and memberNisNetgroup." Indeed. But Directory Utillity.app won’t present any other mappings for netgroups.

Let’s create some dummy groups in /etc/netgroup.

    group subgroup
    subgroup (host,,) (another_host,,)

Now if I run the program I compiled up it almost works.

    $ netgroups group
    subgroup
    $ netgroups subgroup
    host
    another_host

Both runs of the program should have produced the same results. But at least it’s displaying something. Let’s see what DirectoryService makes of these netgroups.

    $ dscl localhost -read /Search/NetGroups/group
    dsAttrTypeNative:triplet: subgroup
    AppleMetaNodeLocation: /BSD/local
    RecordName: group
    $ dscl localhost -read /Search/NetGroups/subgroup
    dsAttrTypeNative:triplet: host,, another_host,,
    AppleMetaNodeLocation: /BSD/local
    RecordName: subgroup

With the LDAP mappings defined the results for the appliances netgroup are less exciting.

    $ dscl localhost -read /Search/NetGroups/appliances
    dsAttrTypeNative:cn: appliances
    dsAttrTypeNative:nisNetgroupTriple: (accesspoint,,) (router,,) (wii,,)
    dsAttrTypeNative:objectClass: nisNetgroup
    AppleMetaNodeLocation: /LDAPv3/ldap.cambridge.iain.cx
    RecordName: appliances
    RecordType: dsRecTypeStandard:NetGroups

Without a mapping to the dsAttrTypeNative:triplet we appear to be stuffed. Just for fun I tried to create a netgroup in the local domain.

    # dscl localhost -create /Local/Default/NetGroups/localgroup
    # dscl localhost -create /Local/Default/NetGroups/localgroup triplet localhost,,

This seemed to work.

   $ netgroups localgroup
    localhost

Perhaps bodging the LDAP schema and adding a triplet attribute would work. It would be ugly though. I’ll look at Computer and ComputerGroup records next…

No Comments »

No comments yet.

RSS feed for comments on this post.

Leave a comment

You must be logged in to post a comment.

Powered by WordPress