LDAP Netgroup Enforcement Via /etc/profile

Problem - When using ldap as a naming service the traditional /etc/passwd @netgroup syntax doesn't work very smoothly. Typically an admin will want to restrict logins to a server using netgroups stored in the name service. For example the admin may not want to allow DBA's to log in to the DNS servers or the admin may not want to allow web admins to log into the oracle servers etc.

The following code may be added to /etc/profile to accomplish the same thing. The code assumes that you will create netgroups with the same name as the server (unqualified hostname) and place nis netgroup triples for each user allowed access in the netgroup.

SERVERS='ldapdev ldap1'
HOST="`hostname|cut -f1 -d.`"
LDAPSEARCH="/bin/ldapsearch -h"

TEST=0
SUCCESS=0

for server in $SERVERS
do

        SEARCH="ldapsearch -h $server  -b ou=netgroup,dc=domain_central,dc=local cn=$HOST"
        GREP="/bin/grep $LOGNAME"
        TEST="`$SEARCH | $GREP | wc -l`"
        if [ $TEST -gt 0 ]
                then
                  SUCCESS=$TEST
                  break
        fi

done



if [ $SUCCESS -eq 0 ]
        then
            TEST="`$GREP /etc/passwd | wc -l`"
            if [ $TEST -gt 0 ]
            then
               break
            else
               echo "$LOGNAME is NOT in $HOST netgroup or local /etc/passwd file. \nYou are NOT authorized to log in here!"
               /bin/kill -9 $$
            fi
fi

You are visitor number 1625

This page was taken from www.geocities.com/arndike/sds_howto.html