OpenLDAP modify member is not allowed

Question

I am Struggeling with my LDAP attributes.

I already created a few test users and groups, but I am unable to add users to the groups.

#!DATE 2014-05-22T11:48:16.324
#!ERROR [LDAP: error code 65 - attribute 'member' not allowed]
dn: cn=test,ou=groups,dc=example,dc=org
changetype: modify
add: member
member: cn=User Name,ou=users,dc=example,dc=org

The user group is just a simple PosixGroup:

dn: cn=test,ou=groups,dc=example,dc=org
changetype: add
gidNumber: 1234
objectClass: posixGroup
objectClass: top
cn: test

Nothing else. This is (I think the relevant) debug output:

May 22 13:48:12 intranet slapd[90208]: oc_check_required entry (cn=test,ou=groups,dc=example,dc=org), objectClass "posixGroup"
May 22 13:48:12 intranet slapd[90208]: oc_check_allowed type "cn"
May 22 13:48:12 intranet slapd[90208]: oc_check_allowed type "objectClass"
May 22 13:48:12 intranet slapd[90208]: oc_check_allowed type "structuralObjectClass"
May 22 13:48:12 intranet slapd[90208]: oc_check_allowed type "entryUUID"
May 22 13:48:12 intranet slapd[90208]: oc_check_allowed type "creatorsName"
May 22 13:48:12 intranet slapd[90208]: oc_check_allowed type "createTimestamp"
May 22 13:48:12 intranet slapd[90208]: oc_check_allowed type "gidNumber"
May 22 13:48:12 intranet slapd[90208]: oc_check_allowed type "member"
May 22 13:48:12 intranet slapd[90208]: Entry (cn=test,ou=groups,dc=example,dc=org), attribute 'member' not allowed
May 22 13:48:12 intranet slapd[90208]: entry failed schema check: attribute 'member' not allowed
May 22 13:48:12 intranet slapd[90208]: hdb_modify: modify failed (65)

I loaded the folowing schema files

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
#include         /usr/local/etc/openldap/schema/openldap.schema

Installed via pkg_ng

# pkg info openldap-server
openldap-server-2.4.39_1
Name           : openldap-server
Version        : 2.4.39_1
Installed on   : Mon May 19 16:48:33 CEST 2014
...

# uname -a
FreeBSD intranet 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

EDIT: OK, I figured out that I used posixGroup wrong. I should have used GroupOfNames, to insert a CN.

But what is the correct structure then?

Answer 1

The RFC2307 aka "NIS" schema does not allow posixGroup to have member attributes – only memberUid; you can see for yourself in the nis.schema file, around line 175.

objectClass: posixGroup         (structural)
cn: users
gidNumber: 1000
memberUid: daywalker

If you want to use member and entry DNs when creating "system" (POSIX) groups, you will need to use the RFC2307bis schema, which changes posixGroup into auxiliary so that it could be used with either groupOfNames or groupOfMembers classes:

objectClass: groupOfMembers     (structural)
objectClass: posixGroup         (auxiliary)
cn: users
gidNumber: 1000
member: uid=daywalker,ou=people,dc=foo

For other purposes (LDAP-only groups), just groupOfNames or groupOfMembers should be enough.