About Groups
The netgrp Group
The netgrp group exists as a convenient way to set the permissions of all users that only exist on the [AAA] server rather than having to manage the permissions of every remote-only user.
Below are some points on how the netgrp group operates:
-
The
netgrpgroup exists on all lighthouses but is disabled by default -
Do not enable the
netgrpgroup before configuring its permissions because it provides admin privileges by default. -
If a user authenticates remotely using a [AAA] server and that user doesn’t yet exist locally on the lighthouse, then the user is automatically added to the netgrp group. Note, that a user can exist in the Lighthouse Linux system but not in the Lighthouse config
There is no hard requirement for a remotely authenticated user to be a member of the netgrp group when logging in. However, if the netgrp group is the only way the user gains the required permissions to log in, then they do need to be a member of the netgrp group and the group needs to be enabled.
Remote Groups
When a user authenticates using a [AAA] server, any groups that the server returns are added to a list of groups that the user becomes a member of. If any of those groups match a local group on the Lighthouse, then the user becomes a member of that group and gains any permissions provided by that group.
For example, if a user authenticates remotely and the [AAA] server returns the following groups:
-
my_group1
-
my_group2
If the lighthouse has a group called my_group1 but it does not have a group my_group2 then the authenticated user will gain the privileges provided by my_group1 and the remote group my_group2 will simply be ignored.
Note:If the user is a member of any other groups locally on the lighthouse, the user will also gain any permissions provided by those groups.
To summarise, a user will be a member of
-
the local groups that the user is locally configured to be a member of AND
-
any remote groups returned by the [AAA] server that match groups on the lighthouse.
If the authenticated user doesn’t yet exist on the lighthouse, the user will be:
-
a member of any remote groups that match groups on the Lighthouse AND
-
a member of the
netgrpgroup,Note: The
netgrpgroup is disabled by default.
If a group is disabled, the user does not get the permissions from that group.
Remote Group Name Conversion
To further align Lighthouse remote authentication with legacy console servers such as ACM 7000, remote groups from the [AAA] server are applied as they are returned but in addition, the remote groups are converted such that:
-
uppercase characters are converted to lowercase
-
any character that is not a number, a letter, an underscore or a hyphen is converted to an underscore
-
These converted group names are added to the unconverted group names
Some legacy console servers only use the converted group names but Lighthouse uses both the unconverted and converted remote group names.
If a converted group name is the same as the unconverted group name, the converted group name is simply ignored.
Below are examples of a remote group name and its corresponding converted group name:
My Group : my_group
My-Group# : my-group_
my@group: my_group
my#odd@$group : my_odd__group