On Thu, Oct 31, 2019 at 02:02:51PM +0000, Charles Hedrick wrote: > I need to support netgroup checks in a service, written in C. I’m asking the > SSSD list because we’re using SSSD, which means that net group operations are > routed to the SSSD provider. > > I found that innetgr doesn’t work if there are nested net groups. The man > page doesn’t suggest that this would happen, though various online > discussions seem to suggest it. As far as I can tell, using the usual libc > routines, I’d have to do a recursive enumeration of the netgroup. This seems > pretty silly, since the host's memberOf attribute shows what net groups it’s > a member of, whether direct or indirect. You could also enumerate using the > compat tree, which lets a single LDAP query get all members of the netgroup.
Hi, it would be good if you can share some logs which covered the failed attempt. Iirc nested netgroups are handled by SSSD and glibc together. I.e. SSSD will not resolve a nested netgroup automatically but just returns the name and the glibc ask for the members of the nested group if needed. bye, Sumit > > For the moment I’m doing LDAP operations. My application already needs to do > GSSAPI-authenticated LDAP operations, so I have an LDAP connection already. A > netgroup check require two queries, which could reasonably be cached. Lookup > the netgroup by name to find the unique ID. Look up the host and see if the > unique ID matches any memberOf attributes. > > But not all applications would be set up so this is easy. Is there a > reasonable way to check netgroup membership using normal libc calls? > > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
