CipUX Feature Netgroup
This page describes briefly the implementation of the netgroup feature for CipUX.
Contents
History of "netgroups"
The netgroup feature was implemented for Skolelinux/ DebianEdu as a webmin module ("netgroups"). This module was able to add a host (workstation or server) to a so called "netgroup". If the host was added the host was able to mount the nfs share from the server. It was also use to divide hosts into groups.
Pros:
- webmin module exists and works
Cons:
- it is not userfriendly at all ("go back to save your changes")
- it is dependend on webmin (and webmin will be removed in etch)
Description of implementation of webmin module "netgroups" (by Benedikt Wildenhain)
Example output of ldapsearch before adding any host beside tjener:
dn: cn=server-hosts,ou=Netgroup,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: nisNetgroup cn: server-hosts nisNetgroupTriple: (tjener,-,-)
Output after using webmin to add a new server host:
dn: cn=server-hosts,ou=Netgroup,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: nisNetgroup cn: server-hosts nisNetgroupTriple: (my-new-server-host,-,-) nisNetgroupTriple: (tjener,-,-)
So basically an entry named nisNetgroupTriple($hostname,-,-) was added. The following CommonNames (cn) have to be electable:
- server-hosts
- workstation-hosts
- ltsp-server-hosts
- printer-hosts
- all-hosts?(=member all four groups)
- any custom group defined by the admin (see below)
The LDAP attribute nisNetgroupTriple is defined in "nis.schema" from openldap.
- Each entry has three fields: host, user, and domain.
- If you leave a field blank, it allows complete access.
New object adding a new hostgroup:
dn: cn=my-new-server-group,ou=Netgroup,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: nisNetgroup cn: my-new-server-group
After adding this group as subgroup of server-hosts, a new value named memberNisNetgroup ist added:
dn: cn=server-hosts,ou=Netgroup,dc=skole,dc=skolelinux,dc=no [...] memberNisNetgroup: my-new-server-group
The LDAP attribute memberNisNetgroup is defined in "nis.schema" from openldap.
Description of implementation of netgroup feature in CipUX 3.2.12
This feature must be an optional CipUX feature, because there might be installations without NFS or network shares at all. To switch it off and on we use a variable in the "CipUX" configuration section in LDAP.
To switch it on for CipUX >=3.2.12:
cipux_task_change_cipux_config_variable_value CipUX CipUX_Feature_Netgroup 1
To switch it off for CipUX >=3.2.12:
cipux_task_change_cipux_config_variable_value CipUX CipUX_Feature_Netgroup 0
Implementation in CipUX Ldap Abstraction Layer
The netgroup class must be added in CipUX LDAP Abstraction layer.
- cipux_add -n NID cipux_del -n NID cipux_set_value -n NID -e LDAP_Attribute -v VALUE cipux_set_value -N-e LDAP_Attribute -v VALUE triple = cipux_get_value -n NID -e LDAP_Attribute triplelist = cipux_get_value -N -e LDAP_Attribute
NID = netgroup ID (canonical name)
VALUE = (machine,user,domain) , the brackets are stored inside attribute!
triple = (machine, user,domain), , the brackets are printed out!
triplelist = linear list of triple
Implementation in CipUX::Task (CLI, XML'RPC-API)
The following CipUX::Task commands are needed:
- list = cipux_task_list_netgroups cipux_task_create_netgroup NID cipux_task_delete_netgroup NID cipux_task_add_machine_to_netgroup NID member_MID cipux_task_remove_machine_from_netgroup NID member_MID list = cipux_task_list_machine_members_of_netgroup NID cipux_task_add_user_to_netgroup NID member_UID cipux_task_remove_user_from_netgroup NID member_UID list = cipux_task_list_user_members_of_netgroup NID cipux_task_add_domain_to_netgroup NID member_DID cipux_task_remove_domain_from_netgroup NID member_DID list = cipux_task_list_domain_members_of_netgroup NID cipux_task_add_triple_to_netgroup NID member_MID member_UID member_DID cipux_task_remove_triple_from_netgroup NID member_MID member_UID member_DID list = cipux_task_list_triple_members_of_netgroup NID list = cipux_task_list_subgroups_of_netgroup NID cipux_task_add_subnetgroup_to_netgroup sub_NID NID cipux_task_remove_subnetgroup_from_netgroup sub_NID NID
NID = Netgroup ID (canonical name)
MID = Machine ID (canonical name)
UID = User ID (canonical name)
DID = Domain ID (canonical name)
where as the following internal convetion is valid:
- _add_machine_to_netgroup(NID,member_MID) = *_add_triple_to_netgroup(,NID,member_MID,'-','-')
- _add_user_to_netgroup(NID,member_UID) = *_add_triple_to_netgroup(,NID,,'-',member_UID,'-')
- _add_domain_to_netgroup(NID,member_DID) = *_add_triple_to_netgroup(,NID,'-','-',member_DID,)
Implementation in CAT (cipux-cat-web) GUI
The new feature must be available in some GUI. Because BenediktWildenhain or ChristianKuelker have Perl knowledge they will implement this first in cat-webmin or cat-web. Due to the fact that webmin will not be in Etch it would only make sense to implement this into cat-web. Others may implement that in the PHP branch of CAT later.
CAT-web uses the LDAP entry in the configuration section:
use CipUX::Cat::Web; my $CipUX_Feature_Netgroup = &rpc($login,$ticket, "cipux_task_tell_me_cipux_config_variable_value", ["CipUX","CipUX_Feature_Netgroup"]) || 0; if($CipUX_Feature_Netgroup){ # do some thing }
[...] (to be continued)
Usage of the Netgroups in CipUX 3.2.12
With the CipUX XML-RPC client/server
[ ... ]
Within the LDAP Abstraction Layer
This guide is for developers who implement CipUX::Task commands.
Warning: you should not use the LDAP Abstraction Layer directly if you are not knowing what you are doing. You can erease easily your database or write nonsense inside a huge amount of database fields. This might leed into a complete unfunctional server. Use CipUX::Task commands instead!
cipux_get_value
Retrieve the value for "server-hosts":
./cipux_get_value -n server-hosts -e nisNetgroupTriple
Result:
(tjener,-,-)
Retrieving all values of nisNetgroupTriple for all groups:
./cipux_get_value -N -e nisNetgroupTriple
Result:
server-hosts (tjener,-,-) workstation-hosts x all-hosts x printer-hosts x ltsp-server-hosts x
(e.g.: between "all-hosts" and "x" is a \t)
Retrieving all nisNetgroupMember of all netgroups (default there is none!):
./cipux_get_value -N -e nisNetgroupMember
Result:
server-hosts x workstation-hosts x all-hosts x printer-hosts x ltsp-server-hosts x
("x" stands for "no-value"; derived from Japanese and called "batsu")
Add a host to all groups:
./cipux_set_value -N -a -e nisNetgroupTriple -v '(cleon,-,-)'
Result:
You can verify this:
./cipux_get_value -N -e nisNetgroupTriple
Result:
server-hosts (tjener,-,-) (cleon,-,-) workstation-hosts (cleon,-,-) all-hosts (cleon,-,-) printer-hosts (cleon,-,-) ltsp-server-hosts (cleon,-,-)
Remove a host from printer-hosts:
./cipux_set_value -n printer-hosts -d -e nisNetgroupTriple -v '(cleon,-,-)
Result:
You can verify this:
./cipux_get_value -N -e nisNetgroupTriple
Result:
server-hosts (tjener,-,-) (cleon,-,-) workstation-hosts (cleon,-,-) all-hosts (cleon,-,-) printer-hosts x ltsp-server-hosts (cleon,-,-)
Remove host from all netgroups:
./cipux_set_value -N -d -e nisNetgroupTriple -v '(cleon,-,-)'
Result:
You can verify this:
./cipux_get_value -N -e nisNetgroupTriple
Result:
server-hosts (tjener,-,-) workstation-hosts x all-hosts x printer-hosts x ltsp-server-hosts x
cipux_set_value
Adding the machine "cleon" to the workstations
./cipux_set_value -n workstation-hosts -e nisNetgroupTriple -v cleon
Result:
ldap_modify: Invalid syntax (21) additional info: nisNetgroupTriple: value #0 invalid per syntax
This is wrong, because the the syntax of nisNetgroupTriple is different. You should do it like this:
./cipux_set_value -n workstation-hosts -e nisNetgroupTriple -v '(cleon,-,-)'
Result:
You can check that with cipux_get_value:
./cipux_get_value -N -e nisNetgroupTriple
Result:
server-hosts (tjener,-,-) workstation-hosts (cleon,-,-) all-hosts x printer-hosts x ltsp-server-hosts x
cipux_add
Adding laptops:
./cipux_add -n --attribute cn=laptop-hosts
Result:
adding new entry "cn=laptop-hosts,ou=Netgroup,dc=skole,dc=skolelinux,dc=no"
cipux_del
Removing laptops:
./cipux_del -n laptop-hosts
Result: