dn-based linux groups from ldap
Solution 1
Yes.
In your nss_ldap configuration file, set nss_schema:
nss_schema rfc2307bis
On your server in the schema, make sure the posixGroup object class is auxiliary instead of structural.
Then you can use both the groupofmembers(new) or groupofnames(old) and posixgroup objectclasses for each group. Each member will be in a member attribute:
dn: cn=foo,ou=Groups,dc=example
objectclass: top
objectclass: posixgroup
objectclass: groupofmembers
gidnumber: 9234
member: uid=bob,ou=people,dc=example
member: uid=alice,ou=people,dc=example
Solution 2
To get the groupOfMembers
schema, you can either extract it from the rfc, or use this one that's been done for you, and save it to /etc/openldap/schema/rfc2307bis.schema
. This schema supersedes the nis
schema, so remove that one first.
If you're using the cn=config
backend
- create a file
convert-schema.conf
containinginclude /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/rfc2307bis.schema
- create a directory called
/tmp/converted
- convert schema to ldif:
slaptest -f convert-schema.conf -F /tmp/convert/
- Fix any errors, including removing apostrophes in values and removing references to the authPassword attribute until
slaptest
succeeds
- Fix any errors, including removing apostrophes in values and removing references to the authPassword attribute until
- copy
/tmp/convert/cn=config/cn=schema/cn={2}rfc2307bis.ldif
to/etc/openldap/rfc2307bis.ldif
- modify
rfc2307bis.ldif
- change the first line to
dn: cn=rfc2307bis,cn=schema,cn=config
- change the third line to
cn: rfc2307bis
- remove the seven lines at the end (
structuralObjectClass
throughmodifyTimestamp
)
- change the first line to
- import the schema ldif:
ldapadd -f rfc2307bis.ldif -D "cn=admin,cn=config" -W
Related videos on Youtube
Brad Mace
Updated on September 17, 2022Comments
-
Brad Mace over 1 year
Is there any way to use one of LDAP's DN-based groups for linux groups instead of using the uid-based posixGroup objectclass?
More broadly, is there any way I can avoid having one set of groups for supporting linux accounts and a parallel set of groups that's used by everything else?
-
Brad Mace over 13 yearshad to add
groupOfMembers
to my schema manually and addnss_map_attribute uniqueMember member
but I got it working. Now I'm stuck on nested groups, know anything about that? -
Brad Mace over 13 yearsNevermind, it started working. I think I probably had just some bogus values that were messing things up.
-
Stijn Hoop over 9 yearsNote that the extracted schema file is NOT directly importable in OpenLDAP 2.4, some edits need to be made. My updated version is found at github.com/shoop/openldap-rfc2307bis/blob/master/…