Netgroup Constraints

Netgroup Constraints

Sometimes it is necessary for a configuration map entry ([Configuration Maps]) to apply to only a subset of hosts. There are a number of good reasons when netgroup constraints will be required, here are some of them:

• You have some restrictions on which user accounts should be visible in different environments but you want a single login domain.
• You have transformation rules ([Transformation Rules]) or overlays ([Overlays]) that you want to set on a specific group of hosts.
• You want particular network services to appear to only the applications that need them.

Netgroup constraints allow a configuration map entry to be applied only if the client is a member of a list of netgroups. This is achieved by setting the exactNetgroup attribute. Alternatively the notNetgroup attribute may be used to restrict the configuration map entry to those clients that are not a member of a list of netgroups.

Here is an example configuration map entry that uses exactNetgroup. In this case, user accounts are being added to the passwd database for any hosts in the unix-hosts and unix-hosts2 netgroups:

dn: cn=passwd-merger,en=sales.corp,ou=domain-mappings,o=infra
objectClass: top
objectClass: dbisMapConfig
objectClass: dbisPasswdConfig
cn: passwd-merger
dbisMapDN: ou=passwd,ou=merger,o=infra
dbisMapFilter: objectClass=posixUserAccount
dbisMapGecos: displayName
dbisOverlayDN: ou=passwd,ou=overlays,ou=sales-merger,o=infra
exactNetgroup: unix-hosts
exactNetgroup: unix-hosts2

Next Steps

Return to [Configuring DBIS] for the next steps in setting up a new installation.