Loren,
You need to replace the "nis.schema" schema file with a "rfc2307bis.schema" file because both, posixGroup and groupOfnames are STRUCTURAL classes. Using rfc2307 schema, one object class becomes auxiliary and allows both to co-exist within the same object declaration.
OTOH, see if you can configure mod_authnz_ldap to look for "member" attribute instead of "memberUID". This will obviate the need for having posixGroup in object instantiation.
Hope this helps,
Siddhartha
From: openldap-technical-bounces+sjain=silverspringnet.com@openldap.org [mailto:openldap-technical-bounces+sjain=silverspringnet.com@openldap.org] On Behalf Of Loren Cahlander Sent: Tuesday, June 01, 2010 9:05 AM To: openldap-technical@openldap.org Cc: Loren Cahlander Subject: OpenLDAP configuration for ldap-group authentication on Apache2.x
Hello folks,
I am working with the following configuration under Ubuntu:
||/ Name Version Description +++-=================================-====================================-============================================ ii apache2 2.2.9-7ubuntu3.6 Apache HTTP Server metapackage ii apache2-doc 2.2.9-7ubuntu3.6 Apache HTTP Server documentation ii apache2-mpm-prefork 2.2.9-7ubuntu3.6 Apache HTTP Server - traditional non-threade ii apache2-utils 2.2.9-7ubuntu3.6 utility programs for webservers ii apache2.2-common 2.2.9-7ubuntu3.6 Apache HTTP Server common files ii ldap-account-manager 2.3.0-1 webfrontend for managing accounts in an LDAP ii ldap-utils 2.4.11-0ubuntu6.2 OpenLDAP utilities ii libldap-2.4-2 2.4.11-0ubuntu6.2 OpenLDAP libraries ii slapd 2.4.11-0ubuntu6.2 OpenLDAP server (slapd) ii subversion 1.5.1dfsg1-1ubuntu2.1 Advanced version control system ii subversion-tools 1.5.1dfsg1-1ubuntu2.1 Assorted tools related to Subversion
And need to have groups being both posixGroup and groupOfUniqueNames. Far below is my configuration. If I try loading a group with with following:
dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org gidNumber: 9999 objectClass: posixGroup objectClass: groupOfUniqueNames uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org cn: my-dba
I get the following error:
ldap_add: Object class violation (65) additional info: invalid structural object class chain (posixGroup/groupOfUniqueNames)
Does anyone have a suggestion for how to deal with this error? I am looking for a simple configuration that will work with the Apache Module mod_authnz_ldap to authenticate a user in Apache using "Require ldap-group".
Thank you,
Loren
INSTALLING LDAP LDAP is the Lightweight Directory Access Protocol. This cental database of accounts, logins and groups will be used by all the systems including the eXist database, the subversion server and the e-mail system. Note that the roles in the role-based access control system are stored using the role manager These commands will install a local LDAP server and a web based administrative application to manage groups and users within this virtual machine. sudo apt-get install slapd ldap-utils ldap-account-manager
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
vi /home/exist/db.ldif and insert the following listing: 01.########################################################### 02.# DATABASE SETUP 03.########################################################### 04. 05.# Load modules for database type 06.dn: cn=module{0},cn=config 07.objectClass: olcModuleList 08.cn: module{0} 09.olcModulePath: /usr/lib/ldap 10.olcModuleLoad: {0}back_hdb 11. 12.# Create directory database 13.dn: olcDatabase={1}hdb,cn=config 14.objectClass: olcDatabaseConfig 15.objectClass: olcHdbConfig 16.olcDatabase: {1}hdb 17.olcDbDirectory: /var/lib/ldap 18.olcSuffix: dc=exist-db,dc=org 19.olcRootDN: cn=admin,dc=exist-db,dc=org 20.olcRootPW: 1234 21.olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exist-db,dc=org" write by anonymous auth by self write by * none 22.olcAccess: {1}to dn.base="" by * read 23.olcAccess: {2}to * by dn="cn=admin,dc=exist-db,dc=org" write by * read 24.olcLastMod: TRUE 25.olcDbCheckpoint: 512 30 26.olcDbConfig: {0}set_cachesize 0 2097152 0 27.olcDbConfig: {1}set_lk_max_objects 1500 28.olcDbConfig: {2}set_lk_max_locks 1500 29.olcDbConfig: {3}set_lk_max_lockers 1500 30.olcDbIndex: uid pres,eq 31.olcDbIndex: cn,sn,mail pres,eq,approx,sub 32.olcDbIndex: objectClass eq 33. 34. 35.########################################################### 36.# DEFAULTS MODIFICATION 37.########################################################### 38.# Some of the defaults need to be modified in order to allow 39.# remote access to the LDAP config. Otherwise only root 40.# will have administrative access. 41. 42.dn: cn=config 43.changetype: modify 44.delete: olcAuthzRegexp 45. 46.dn: olcDatabase={-1}frontend,cn=config 47.changetype: modify 48.delete: olcAccess 49. 50.dn: olcDatabase={0}config,cn=config 51.changetype: modify 52.add: olcRootPW 53.olcRootPW: {CRYPT}7hzU8RaZxaGi2 54. 55.dn: olcDatabase={0}config,cn=config 56.changetype: modify 57.delete: olcAccess Note Note that this file has LDAP administration password (identified by olcRootPW) in it with the default value of "1234". If you want to change this put in your own password. sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /home/exist/db.ldif sudo vi /home/exist/base.ldif and insert the following: 01.dn: dc=exist-db,dc=org 02.objectClass: dcObject 03.objectClass: organization 04.o: exist-db.org 05.dc: exist-db 06.description: Tree root 07. 08.dn: cn=admin,dc=exist-db,dc=org 09.objectClass: simpleSecurityObject 10.objectClass: organizationalRole 11.cn: admin 12.userPassword: admin123 13.description: LDAP administrator 14. 15.dn: ou=Users,dc=exist-db,dc=org 16.objectClass: organizationalUnit 17.ou: Users 18. 19.dn: ou=Groups,dc=exist-db,dc=org 20.objectClass: organizationalUnit 21.ou: Groups 22. 23.dn: uid=admin,ou=Users,dc=exist-db,dc=org 24.sn: Administrator 25.uidNumber: 1 26.gidNumber: 1 27.objectClass: person 28.objectClass: organizationalPerson 29.objectClass: inetOrgPerson 30.objectClass: posixAccount 31.uid: admin 32.cn: admin 33.homeDirectory: / 34. 35.dn: uid=guest,ou=Users,dc=exist-db,dc=org 36.sn: guest 37.uidNumber: 2 38.gidNumber: 300 39.objectClass: person 40.objectClass: organizationalPerson 41.objectClass: inetOrgPerson 42.objectClass: posixAccount 43.uid: guest 44.cn: guest 45.homeDirectory: /guest 46. 47.dn: cn=dba,ou=Groups,dc=exist-db,dc=org 48.objectClass: posixGroup 49.description: dba 50.gidNumber: 1 51.cn: dba 52. 53.dn: cn=guest,ou=Groups,dc=exist-db,dc=org 54.objectClass: posixGroup 55.description: guest 56.gidNumber: 300 57.cn: guest 58.memberUid: admin 59. 60.dn: cn=svn-update,ou=Groups,dc=exist-db,dc=org 61.objectClass: posixGroup 62.description: SVN Update 63.gidNumber: 400 64.cn: svn-update 65. 66.dn: cn=svn-readonly,ou=Groups,dc=exist-db,dc=org 67.objectClass: posixGroup 68.description: SVN Read Only 69.gidNumber: 500 70.cn: svn-readonly 71. 72.dn: cn=backup-access,ou=Groups,dc=exist-db,dc=org 73.objectClass: posixGroup 74.description: System backup page access. 75.gidNumber: 600 76.cn: backup-access Note Note that this file has database administration password in it with the default value of "admin123". If you want to change this put in your own password into the correct location.. You can now load this configuration file into the LDAP database with the ldapadd command.: sudo ldapadd -x -D cn=admin,dc=exist-db,dc=org -W -f /home/exist/base.ldif When prompted for the password, use "1234" unless you changed the value in db.ldif.