Question: Does the NACM implementation support the enable-external-groups option

[bbergquist0930]

Not sure if this should be asked here in Netopeer2 or in Sysrepo where it appears that the NACM in implemeted.

In the NACM YANG model there is this

3.3.4.5. enable-external-groups Switch

When this global switch is set to "true", the group names reported by the transport layer for a session are used together with the locally configured group names to determine the access control rules for the session.

When this switch is set to "false", the group names reported by the transport layer are ignored by the NACM.

It that supported by the combinations of packages in any way? In doing some research it appear that the YumaWorks packages provides the ability to register an API callback which can provide a list of external groups. I was wondering if there was anything similar to Netopeer2/Sysrepo?

[jktjkt]

This leaf is indeed implemented in sysrepo, and it's used to control whether the UNIX groups of the user are included in the group list or not. This calls into the system C library via getgrouplist(3) and getgrid_r(3). On a glibc-based system, this means that it will respect whatever NSS settings you have, so if your system is configured to retrieve the group list from LDAP or Radius, for example, so will sysrepo.

The RFC terminology might be a bit misleading, but at least in case of SSH, this "transport layer" is what actually performs authentication, and since this is done once again using the system C-library functions to map to Unix system accounts, I think that this is a consistent behavior.

[bbergquist0930]

Thanks you and thank you for the link to the code as well. I did peruse the code but missed that.