Netservices

Netservices

Netservices provides a hierarchical layer on top of netgroups that can be used to model application roles, privileges and services. It is intended to simplify large netgroup configurations, and make it easier to audit who can do what in a large corporation. Netservices are introduced in detail in the DBIS blog article Introducing Netservices.

A netservice is a hierarchical naming scheme to which netgroups can be assigned. Consider the following example:

dn: en=ssh,ou=netservice,o=infra
objectClass: top
objectClass: netserviceDescriptor
objectClass: netserviceObject
en: ssh
description: Secure Shell Service

dn: en=login,en=ssh,ou=netservice,o=infra
objectClass: top
objectClass: netserviceDescriptor
en: login
exactNetservice: ftp:login
exactNetservice: web:login/anonymous
exactNetgroup: unix-admin

Here, members of the unix-admin netgroup are assigned the ssh:login netservice. An application will make a call to the DBIS innetsv API to determine if a user or host is a member of a netservice of interest, which translates to the question "is this person allowed to use the SSH login service?". See [Using DBIS] for more information on available APIs.

The netserviceObject class is used to define a new top-level container, in the above example, the container name is ssh. Underneath this container comes multiple descriptors identified by the netserviceDescriptor class.

Netservices can inherit from other netservices. In the above example, the exactNetservice attribute is used to request that anyone who has access to the ftp:login and web:login/anonymous services will also be granted the ssh:login service.

Next Steps

Return to [Configuring DBIS] for the next steps in setting up a new installation.