Hi,
You might want to check out nisNetgroup functionality.
1. add rfc2307bis to Your nis.schema:
#attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
# DESC 'Netgroup triple'
# SYNTAX 1.3.6.1.1.1.0.0 )
# rfc2307bis
attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
DESC 'Netgroup triple'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2. add nis-netgroups to Your directory:
dn: cn=myhostname,ou=Netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
description: users allowed to log in to myhostname
cn: myhostname
nisNetgroupTriple: (,user1,)
nisNetgroupTriple: (,user2,)
...
3. add compat-mode to nsswitch.conf:
passwd: compat
passwd_compat: ldap
group: compat
group_compat: ldap
4. add netgroup-entries to /etc/passwd and /etc/shadow:
Last line of /etc/passwd:
+@ myhostname:x:::::
Last line of /etc/shadow:
+@ myhostname:NP:::::::
Now only local users and users listed in
dn: cn=myhostname,ou=Netgroup,dc=example,dc=com
can log in to the machine.
For easy administration You can group together users
in netgroups and allow those as memberNisNetgroup:
dn: cn=myhostname,ou=Netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
description: users allowed to log in to myhostname
cn: myhostname
memberNisNetgroup: rhdmin
memberNisNetgroup: mysqldba
...
Regards
Juergen Sprenger