Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
33
Netgroups
Netgroup membership is limited to 1024 bytes. However, the formula for determining the number of
members in a netgroup is simpler:
Nested Groups
The groupOfNames and groupOfUniqueNames object classes as mentioned on page 34, allow anything to
be a member of a group. This includes other groups (which creates nesting.) Current versions of the
NIS/LDAP Gateway product and LDAP-UX Client Services product do not support nested groups.
Netgroups, Issues and Limitations
A netgroup is a powerful tool for controlling access to systems and applications. Netgroups can be created
to control login access to a host, NFS mounts or other application-dependent uses.
However, because of the size limitation mentioned above, the structure of a netgroup does not apply well to
an LDAP directory. Here's why:
The innetgr() API procedure is used to determine if a user is the member of a netgroup. The
innetgr() procedure is the key procedure used to determine if a user is allowed to access a resource
(limiting who may login to a system, for example.)
Because netgroups can be nested, membership in a netgroup can be quite large. So, to determine if
a user is a member of a netgroup, the entire netgroup and all its subgroups must be examined. For a
large netgroup, this can cause the enumeration problems described on page 21. To prevent
enumeration, NIS defines a special map called the netgroup.byuser map (a netgroup.byhost also
exists for searches using a system name.) This map defines all the netgroups that a user is the
member of. Because this map eliminates enumeration, this map greatly improves performance of
the innetgr(). However, the architecture of the "netgroup triple" and the nesting of netgroups make
it impossible to create an LDAP search request that can perform an indexed search to determine
group membership.
To prevent enumeration and still use an LDAP directory for netgroups, the netgroup.byuser and
netgroup.byhost maps must be created and placed in the directory. If you are familiar with directory
database architecture you will see that these maps function similar to indices. These maps are used to
quickly find information out of the netgroup database. RFC 2307 defines a method to create arbitrary NIS
maps in the LDAP directory using the nisMapName and nisObject object classes. So, the netgroup.byuser
and netgroup.byhost maps can be placed in the LDAP directory using those object classes. However,
creating these maps also replicates data in the LDAP directory. This means that when a change to a
netgroup is made, modifications are required to the nisNetGroup, and the representative nisObject subtree in
the directory. Without automated procedures, the nisObject subtree will likely become out of sync, and thus
need to be occasionally rebuilt. The migration scripts can be used to rebuild the netgroup.byuser and
Number_of_Members =
1024
average_size_of_netgroup_member + 1