https://community.hpe.com/t5/operating-system-hp-ux/ldap-netgroup-problem-continued/m-p/3513370#M218616 I have been having exactly the same problem as described in the "LDAP netgroup problem" thread by Alec Pringle 3/2/2005. <BR /><BR />I tried the solution from that thread and at first glance it appears to work. I can now access the userids in the ldap directory. The problem is I can now access ALL the userids in the directory. The solution essentially turns off the netgroups. <BR /><BR />I need to restrict access to the client to only those users in teh directory who are members of the netgroup.<BR /><BR />Any ideas? Tue, 29 Mar 2005 08:17:21 GMT Glenn_73 2005-03-29T08:17:21Z https://community.hpe.com/t5/operating-system-hp-ux/ldap-netgroup-problem-continued/m-p/3513370#M218616 I have been having exactly the same problem as described in the "LDAP netgroup problem" thread by Alec Pringle 3/2/2005. <BR /><BR />I tried the solution from that thread and at first glance it appears to work. I can now access the userids in the ldap directory. The problem is I can now access ALL the userids in the directory. The solution essentially turns off the netgroups. <BR /><BR />I need to restrict access to the client to only those users in teh directory who are members of the netgroup.<BR /><BR />Any ideas? Tue, 29 Mar 2005 08:17:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/ldap-netgroup-problem-continued/m-p/3513370#M218616 Glenn_73 2005-03-29T08:17:21Z https://community.hpe.com/t5/operating-system-hp-ux/ldap-netgroup-problem-continued/m-p/3513371#M218617 On the client, where you want to restice the access, you need to modify the /etc/passwd file as follows.<BR /><BR />+@group_name<BR /><BR />If you have + in /etc/passwd file, then all users will get access on this host.<BR /><BR />man passwd for details. Tue, 29 Mar 2005 08:54:46 GMT https://community.hpe.com/t5/operating-system-hp-ux/ldap-netgroup-problem-continued/m-p/3513371#M218617 RAC_1 2005-03-29T08:54:46Z https://community.hpe.com/t5/operating-system-hp-ux/ldap-netgroup-problem-continued/m-p/3513372#M218618 Yes indeed. My /etc/passwd has the +@group_name: at the end. <BR /><BR />With the "passwd: compat" etc in the nsswitch it seems to recognize that it has to deal with netgroups. With the nsswitch set to "passwd: files [NOTFOUND] ldap" it appears to ignore the +@group thing and allow access to all the userids in the ldap directory.<BR /><BR />This behavior make sense to me.<BR /><BR />Perhaps another hint:<BR /><BR />The finger comand appears to understand the netgroups and who is in it. Other commands like groups and su do not. In other words: when I have the "passwd:compat" in the nsswitch, and the +@group in the /etc/passwd, a finger will only show the userids in the valid netgroups. Other commands respond with "no such user".<BR /><BR />As with Alec Pringle's thread, this all seems to work OK on my Solaris clients.<BR /> Tue, 29 Mar 2005 09:19:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/ldap-netgroup-problem-continued/m-p/3513372#M218618 Glenn_73 2005-03-29T09:19:41Z https://community.hpe.com/t5/operating-system-hp-ux/ldap-netgroup-problem-continued/m-p/3513373#M218619 You certaily do not need<BR />passwd : compact (It is for file and nis environment.)<BR /><BR />You need as follows.<BR /><BR />passwd: files [NOTFOUND=continue] ldap<BR />group : file [NOTFOUND=continue] ldap<BR />netgroup : ldap Tue, 29 Mar 2005 09:24:19 GMT https://community.hpe.com/t5/operating-system-hp-ux/ldap-netgroup-problem-continued/m-p/3513373#M218619 RAC_1 2005-03-29T09:24:19Z