4

Is there any way to use one of LDAP's DN-based groups for linux groups instead of using the uid-based posixGroup objectclass?

More broadly, is there any way I can avoid having one set of groups for supporting linux accounts and a parallel set of groups that's used by everything else?

Brad Mace
  • 1,006
  • 3
  • 17
  • 31

2 Answers2

5

Yes.

In your nss_ldap configuration file, set nss_schema:

nss_schema rfc2307bis

On your server in the schema, make sure the posixGroup object class is auxiliary instead of structural.

Then you can use both the groupofmembers(new) or groupofnames(old) and posixgroup objectclasses for each group. Each member will be in a member attribute:

dn: cn=foo,ou=Groups,dc=example
objectclass: top
objectclass: posixgroup
objectclass: groupofmembers
gidnumber: 9234
member: uid=bob,ou=people,dc=example
member: uid=alice,ou=people,dc=example
Jeff Strunk
  • 2,107
  • 1
  • 24
  • 29
  • had to add `groupOfMembers` to my schema manually and add `nss_map_attribute uniqueMember member` but I got it working. Now I'm stuck on nested groups, know anything about that? – Brad Mace Jan 27 '11 at 20:28
  • Nevermind, it started working. I think I probably had just some bogus values that were messing things up. – Brad Mace Jan 28 '11 at 03:36
3

To get the groupOfMembers schema, you can either extract it from the rfc, or use this one that's been done for you, and save it to /etc/openldap/schema/rfc2307bis.schema. This schema supersedes the nis schema, so remove that one first.

If you're using the cn=config backend

  1. create a file convert-schema.conf containing 
    include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/rfc2307bis.schema
  2. create a directory called /tmp/converted
  3. convert schema to ldif: slaptest -f convert-schema.conf -F /tmp/convert/
    • Fix any errors, including removing apostrophes in values and removing references to the authPassword attribute until slaptest succeeds
  4. copy /tmp/convert/cn=config/cn=schema/cn={2}rfc2307bis.ldif to /etc/openldap/rfc2307bis.ldif
  5. modify rfc2307bis.ldif
    • change the first line to dn: cn=rfc2307bis,cn=schema,cn=config
    • change the third line to cn: rfc2307bis
    • remove the seven lines at the end (structuralObjectClass through modifyTimestamp)
  6. import the schema ldif:
    ldapadd -f rfc2307bis.ldif -D "cn=admin,cn=config" -W
Brad Mace
  • 1,006
  • 3
  • 17
  • 31
  • 1
    Note that the extracted schema file is NOT directly importable in OpenLDAP 2.4, some edits need to be made. My updated version is found at https://github.com/shoop/openldap-rfc2307bis/blob/master/rfc2307bis.schema – Stijn Hoop Nov 28 '14 at 20:22