Working with netgroups overview

Contributors

You can use netgroups for user authentication and to match clients in export policy rules. You can provide access to netgroups from external name servers (LDAP or NIS), or you can load netgroups from a uniform resource identifier (URI) into SVMs using the vserver services name-service netgroup load command.

What you’ll need

Before working with netgroups, you must ensure the following conditions are met:

  • All hosts in netgroups, regardless of source (NIS, LDAP, or local files), must have both forward (A) and reverse (PTR) DNS records to provide consistent forward and reverse DNS lookups.

    In addition, if an IP address of a client has multiple PTR records, all of those host names must be members of the netgroup and have corresponding A records.

  • The names of all hosts in netgroups, regardless of their source (NIS, LDAP, or local files), must be correctly spelled and use the correct case. Case inconsistencies in host names used in netgroups can lead to unexpected behavior, such as failed export checks.

  • All IPv6 addresses specified in netgroups must be shortened and compressed as specified in RFC 5952.

    For example, 2011:hu9:0:0:0:0:3:1 must be shortened to 2011:hu9::3:1.

About this task

When you work with netgroups, you can perform the following operations:

  • You can use the vserver export-policy netgroup check-membership command to help determine whether a client IP is a member of a certain netgroup.

  • You can use the vserver services name-service getxxbyyy netgrp command to check whether a client is part of a netgroup.

    The underlying service for doing the lookup is selected based on the configured name service switch order.