Netgroup Managers in FreeIPA

Posted on by

The last two articles described how to delegate management of user groups and host groups. The other way to manage both hosts and users in FreeIPA is with Netgroups. Although Netgroups are a concept from NIS, FreeIPA takes them to the next level, and makes them into containers capable of managing both users and groups. This article shows how to delegate the control of a netgroup to a specified user.

First, create a netgroup 

[root@f16server ~]# ipa netgroup-add 
Netgroup name: beowulf-netgroup
Description: Beowulf Resources
---------------------------------
Added netgroup "beowulf-netgroup"
---------------------------------
  Netgroup name: beowulf-netgroup
  Description: Beowulf Resources
  NIS domain name: ayoung.boston.devel.redhat.com
  IPA unique ID: 71ea8d08-5530-11e1-9487-525400ff995b

To illustrate the differences between user groups, host groups, and netgroups, lets add some elements to the netgroup.

[root@f16server ~]# ipa netgroup-add-member beowulf-netgroup
[member user]: admiyo
[member group]: editors
[member host]: www1.ayoung.boston.devel.redhat.com
[member host group]: beowulf-hosts
[member netgroup]: 
  Netgroup name: beowulf-netgroup
  Description: Beowulf Resources
  NIS domain name: ayoung.boston.devel.redhat.com
  Member User: admiyo
  Member Group: editors
  Member Host: www1.ayoung.boston.devel.redhat.com
  Member Hostgroup: beowulf-hosts

This shows the LDAP underpinning of the FreeIPA code. Note where the entities are stored.

[root@f16server ~]# ipa netgroup-show beowulf-netgroup --all --raw
  dn: ipauniqueid=71ea8d08-5530-11e1-9487-525400ff995b,cn=ng,cn=alt,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  cn: beowulf-netgroup
  description: Beowulf Resources
  nisdomainname: ayoung.boston.devel.redhat.com
  ipauniqueid: 71ea8d08-5530-11e1-9487-525400ff995b
  memberhost: fqdn=www1.ayoung.boston.devel.redhat.com,cn=computers,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  memberhost: cn=beowulf-hosts,cn=hostgroups,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  memberuser: cn=editors,cn=groups,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  memberuser: uid=admiyo,cn=users,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  objectclass: ipaobject
  objectclass: ipaassociation
  objectclass: ipanisnetgroup

Note that both users and user groups are in the memberuser field, where as hosts and host groups are in the memberhost field.

So to be able to modify the netgroup, the user needs permissions to the memberuser and memberhost attributes. For the objectclass, specify ipanisnetgroup.

Before moving on I deleted these members, as I want to use them again later on for testing.

[root@f16server ~]# ipa permission-add 'beowulf-netgroup-modify'  --permissions=write --attrs=memberhost,memberuser  --filter='(&(cn=beowulf-netgroup)(objectclass=ipanisnetgroup ))'
------------------------------------------
Added permission "beowulf-netgroup-modify"
------------------------------------------
  Permission name: beowulf-netgroup-modify
  Permissions: write
  Attributes: memberhost, memberuser
  Filter: (&(cn=beowulf-netgroup)(objectclass=ipanisnetgroup ))
 
[root@f16server ~]# ipa privilege-add-permission beowulf-manage --permission=beowulf-netgroup-modify
  Privilege name: beowulf-manage
  Description: Manage the Assets of the Beowulf project
  Permissions: beowulf-manage, beowulf-manage-group, beowulf-hostgroup-modify,
               beowulf-netgroup-modify
  Granting privilege to roles: beowulf-managers
-----------------------------
Number of permissions added 1
-----------------------------

Finally, to test.

[root@f16server ~]# kinit admiyo
Password for admiyo@F16SERVER.AYOUNG.BOSTON.DEVEL.REDHAT.COM: 
[root@f16server ~]# ipa netgroup-add-member beowulf-netgroup --hosts www1.ayoung.boston.devel.redhat.com --users admiyo
  Netgroup name: beowulf-netgroup
  Description: Beowulf Resources
  NIS domain name: ayoung.boston.devel.redhat.com
  Member User: admiyo
  Member Group: editors
  Member Host: www1.ayoung.boston.devel.redhat.com
  Member Hostgroup: beowulf-hosts
-------------------------
Number of members added 2
-------------------------
[root@f16server ~]# ipa netgroup-remove-member beowulf-netgroup --hosts www1.ayoung.boston.devel.redhat.com --users admiyo
  Netgroup name: beowulf-netgroup
  Description: Beowulf Resources
  NIS domain name: ayoung.boston.devel.redhat.com
  Member Group: editors
  Member Hostgroup: beowulf-hosts
---------------------------
Number of members removed 2
---------------------------

Again, I deleted the elements that I added as admin before. If you add the same entry twice, you will get errors. You can delete them as the delegated user as well as add them.

Since Netgroups can be used pretty much anywhere that user groups and hostgroups can be used (SUDO, and HBAC especially) they are likely to become your first point of contact for management. Like user groups and hosts groups, they both provide nesting. In fact, a netgroup can be nested inside a host group or a user group, and elements will gain membership in the corresponding host groups or user groups.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.