CipUX Feature Netgroup

This page describes briefly the implementation of the netgroup feature for CipUX.

History of "netgroups"

The netgroup feature was implemented for Skolelinux/ DebianEdu as a webmin module ("netgroups"). This module was able to add a host (workstation or server) to a so called "netgroup". If the host was added the host was able to mount the nfs share from the server. It was also use to divide hosts into groups.

Pros:

Cons:

Description of implementation of webmin module "netgroups" (by Benedikt Wildenhain)

Example output of ldapsearch before adding any host beside tjener:

dn: cn=server-hosts,ou=Netgroup,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: nisNetgroup
cn: server-hosts
nisNetgroupTriple: (tjener,-,-)

Output after using webmin to add a new server host:

dn: cn=server-hosts,ou=Netgroup,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: nisNetgroup
cn: server-hosts
nisNetgroupTriple: (my-new-server-host,-,-)
nisNetgroupTriple: (tjener,-,-)

So basically an entry named nisNetgroupTriple($hostname,-,-) was added. The following CommonNames (cn) have to be electable:

The LDAP attribute nisNetgroupTriple is defined in "nis.schema" from openldap.

New object adding a new hostgroup:

dn: cn=my-new-server-group,ou=Netgroup,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: nisNetgroup
cn: my-new-server-group

After adding this group as subgroup of server-hosts, a new value named memberNisNetgroup ist added:

dn: cn=server-hosts,ou=Netgroup,dc=skole,dc=skolelinux,dc=no
[...]
memberNisNetgroup: my-new-server-group

The LDAP attribute memberNisNetgroup is defined in "nis.schema" from openldap.

Description of implementation of netgroup feature in CipUX 3.2.12

This feature must be an optional CipUX feature, because there might be installations without NFS or network shares at all. To switch it off and on we use a variable in the "CipUX" configuration section in LDAP.

To switch it on for CipUX >=3.2.12:

cipux_task_change_cipux_config_variable_value CipUX CipUX_Feature_Netgroup 1

To switch it off for CipUX >=3.2.12:

cipux_task_change_cipux_config_variable_value CipUX CipUX_Feature_Netgroup 0

Implementation in CipUX Ldap Abstraction Layer

The netgroup class must be added in CipUX LDAP Abstraction layer.

NID = netgroup ID (canonical name)

VALUE = (machine,user,domain) , the brackets are stored inside attribute!

triple = (machine, user,domain), , the brackets are printed out!

triplelist = linear list of triple

Implementation in CipUX::Task (CLI, XML'RPC-API)

The following CipUX::Task commands are needed:

NID = Netgroup ID (canonical name)

MID = Machine ID (canonical name)

UID = User ID (canonical name)

DID = Domain ID (canonical name)

where as the following internal convetion is valid:

Implementation in CAT (cipux-cat-web) GUI

The new feature must be available in some GUI. Because BenediktWildenhain or ChristianKuelker have Perl knowledge they will implement this first in cat-webmin or cat-web. Due to the fact that webmin will not be in Etch it would only make sense to implement this into cat-web. Others may implement that in the PHP branch of CAT later.

CAT-web uses the LDAP entry in the configuration section:

use CipUX::Cat::Web;

my $CipUX_Feature_Netgroup = &rpc($login,$ticket,
                                  "cipux_task_tell_me_cipux_config_variable_value",
                                  ["CipUX","CipUX_Feature_Netgroup"]) || 0;
if($CipUX_Feature_Netgroup){
  # do some thing
}

[...] (to be continued)

Usage of the Netgroups in CipUX 3.2.12

With the CipUX XML-RPC client/server

[ ... ]

Within the LDAP Abstraction Layer

This guide is for developers who implement CipUX::Task commands.

Warning: you should not use the LDAP Abstraction Layer directly if you are not knowing what you are doing. You can erease easily your database or write nonsense inside a huge amount of database fields. This might leed into a complete unfunctional server. Use CipUX::Task commands instead!

cipux_get_value

Retrieve the value for "server-hosts":

./cipux_get_value -n server-hosts -e nisNetgroupTriple

Result:

(tjener,-,-)

Retrieving all values of nisNetgroupTriple for all groups:

./cipux_get_value -N  -e nisNetgroupTriple

Result:

server-hosts    (tjener,-,-)
workstation-hosts       x
all-hosts       x
printer-hosts   x
ltsp-server-hosts       x

(e.g.: between "all-hosts" and "x" is a \t)

Retrieving all nisNetgroupMember of all netgroups (default there is none!):

./cipux_get_value -N  -e nisNetgroupMember

Result:

server-hosts    x
workstation-hosts       x
all-hosts       x
printer-hosts   x
ltsp-server-hosts       x

("x" stands for "no-value"; derived from Japanese and called "batsu")

Add a host to all groups:

./cipux_set_value -N -a -e nisNetgroupTriple -v '(cleon,-,-)'

Result:

You can verify this:

./cipux_get_value -N  -e nisNetgroupTriple

Result:

server-hosts    (tjener,-,-)    (cleon,-,-)
workstation-hosts       (cleon,-,-)
all-hosts       (cleon,-,-)
printer-hosts   (cleon,-,-)
ltsp-server-hosts       (cleon,-,-)

Remove a host from printer-hosts:

./cipux_set_value -n printer-hosts -d -e nisNetgroupTriple -v '(cleon,-,-)

Result:

You can verify this:

./cipux_get_value -N  -e nisNetgroupTriple

Result:

server-hosts    (tjener,-,-)    (cleon,-,-)
workstation-hosts       (cleon,-,-)
all-hosts       (cleon,-,-)
printer-hosts   x
ltsp-server-hosts       (cleon,-,-)

Remove host from all netgroups:

./cipux_set_value -N -d -e nisNetgroupTriple -v '(cleon,-,-)'

Result:

You can verify this:

./cipux_get_value -N  -e nisNetgroupTriple

Result:

server-hosts    (tjener,-,-)
workstation-hosts       x
all-hosts       x
printer-hosts   x
ltsp-server-hosts       x

cipux_set_value

Adding the machine "cleon" to the workstations

./cipux_set_value -n workstation-hosts -e nisNetgroupTriple -v cleon

Result:

ldap_modify: Invalid syntax (21)
        additional info: nisNetgroupTriple: value #0 invalid per syntax

This is wrong, because the the syntax of nisNetgroupTriple is different. You should do it like this:

./cipux_set_value -n workstation-hosts -e nisNetgroupTriple -v '(cleon,-,-)'

Result:

You can check that with cipux_get_value:

./cipux_get_value -N -e nisNetgroupTriple

Result:

server-hosts    (tjener,-,-)
workstation-hosts       (cleon,-,-)
all-hosts       x
printer-hosts   x
ltsp-server-hosts       x

cipux_add

Adding laptops:

./cipux_add -n --attribute cn=laptop-hosts

Result:

adding new entry "cn=laptop-hosts,ou=Netgroup,dc=skole,dc=skolelinux,dc=no"

cipux_del

Removing laptops:

./cipux_del -n laptop-hosts

Result: