Netgroups with LDAP for NFS authorization

Since the success of our LDAP implementation for centralized user/password naming services, we have started to utilize LDAP for many more naming services such as hosts, netgroups, Sun Desktop Manager, and user authorization for various applications that support it. Netgroups have proven to be a simple, handy solution to authorizing access to systems and NFS shares, something that we really couldn't live without after transitioning from NIS+ to LDAP.

Here is an example implementation of utilizing a netgroup "nfs-clients" for authorization to NFS shares. Very simple and effective in only allowing those servers that you trust to mount up NFS shares from central fileservers. I'm quite sure there is some spoofing methods (including DNS cache poisoning) that could drastically affect the effectiveness of this method, but it's better and leaving an NFS share open to the [internal] world to mount up.

As most of my postings, the context of this setup is Sun Java Directory Server 6.x with Solaris-based LDAP clients performing queries against the directory. Small modifications can make this work on other *nix/LDAP platforms.

• If you don't already have it, create a new OU called ou=netgroup,dc=your,dc=domain.
• Create a new object under this new OU, with objectclasses of: top and nisNetgroup
• Configure the attributes of this nisNetgroup object with similar attributes as below, remembering that the nisNetgroupTriple attribute is multi-valued and will hold an entry for each host (must be listed as FQDNs!!!) that will be allowed to mount NFS shares that specify this netgroup in /etc/dfs/dfstab
  

  nisNetgroupTriple: (nfsclient1.domain.net,,)
  nisNetgroupTriple: (nfsclient2.domain.net,,)
  objectClass: nisNetgroup
  objectClass: top
  cn: nfs-clients

• 
  
• Modify the DUA profile that the LDAP clients are configured with to include a ServiceSearchDescriptor such as the following, to ensure that nsswitch looking in the right branch of the directory tree for the netgroup information:
  

  netgroup:ou=netgroup,dc=your,dc=domain?sub

• Now, modify your dfstab entry to specify options for the share(s) to reference netgroups to allow ro/rw access and mapping of the root user:
  

  share -F nfs -o ro=nfs-clients,root=nfs-clients /export/home

• Of course, run the shareall command to reshare this NFS export with the updated options, and it would probably be a good idea to restart nscd (name service cache daemon) as well.
• On your NFS/LDAP clients, make sure that the value for the netgroup lookup is set to LDAP:
  

  # grep netgroup /etc/nsswitch.conf
  netgroup: ldap
  

• Mount it up on one of the servers specified in the netgroup, nfs-clients, and attempt to mount it on a server not listed in that netgroup to validate that authorization control is working properly.
  

I'll make another post that is VERY similar to this one explaining how to set up host lookups in LDAP also. This is handy if you want to store some host/ip address mapping records in LDAP versus DNS (believe me, there are situations that call for this). I would suggest sticking with DNS for this purpose as much as possible, as it is optimized for host lookups, but like I said there are situations where this is helpful.