Hi,
You might want to check out nisNetgroup functionality.
1. add rfc2307bis to Your nis.schema:
#attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' # DESC 'Netgroup triple' # SYNTAX 1.3.6.1.1.1.0.0 )
# rfc2307bis attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
2. add nis-netgroups to Your directory:
dn: cn=myhostname,ou=Netgroup,dc=example,dc=com objectClass: top objectClass: nisNetgroup description: users allowed to log in to myhostname cn: myhostname nisNetgroupTriple: (,user1,) nisNetgroupTriple: (,user2,) ...
3. add compat-mode to nsswitch.conf:
passwd: compat passwd_compat: ldap group: compat group_compat: ldap
4. add netgroup-entries to /etc/passwd and /etc/shadow:
Last line of /etc/passwd: +@ myhostname:x:::::
Last line of /etc/shadow: +@ myhostname:NP:::::::
Now only local users and users listed in dn: cn=myhostname,ou=Netgroup,dc=example,dc=com can log in to the machine.
For easy administration You can group together users in netgroups and allow those as memberNisNetgroup:
dn: cn=myhostname,ou=Netgroup,dc=example,dc=com objectClass: top objectClass: nisNetgroup description: users allowed to log in to myhostname cn: myhostname memberNisNetgroup: rhdmin memberNisNetgroup: mysqldba ...
Regards
Juergen Sprenger
openldap-technical@openldap.org