We're planning on using netgroups to control user access to the different
servers within our organization, and the netgroups will be populated based
on group memberships on the AD-side (we'll use WindowsSync to sync groups
from AD to DS). The basic idea is this:
- Sync AD-group entry "group1" over to DS-group entry "group1".
done automatically with WindowsSync.
- Populate netgroup entry "netgroup1" based on DS-group entry
Alternately, add "netGroup" object class to DS-group entry.
- Configure clients to use netgroup based authentication.
A script will be created to manage netgroup membership dynamically, but
creation of netgroups will probably be done manually.
Anyway, we need to decide on whether to have a separate netgroup entry and
populate netgroup attributes here, or if we should simply add
netgroup attributes to the DS-group itself. I believe that both options will
work just fine, but would like to hear from others who may have implemented
a similar scheme. Maybe there are some pitfalls that we should be aware of.
Show replies by date