thanks very much... started digging knot the official admin guide again yesterday.
I'm paranoid about breaking the automation we've been able to achieve with this so far...
----- Original Message ----- From: harry jede <harry.jede@arcor.de> To: openldap-technical@openldap.org Sent: Wed, 26 Feb 2014 04:55:26 -0800 (PST) Subject: Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
Jefferson Davis wrote: > So I've read, however, there is very little documentation on > implementation, at least that I've been able to find. There are tons of information about nis, rf2307 and/or rfc207bis. However it is easy to search but often hard to find.
So before you search the web, try using the right docs: openldap admin guide & faq http://http://www.openldap.org/
openldap man pages
openldap test suite ( in source tgz). Yes, read the sources.
the archive of this mailing list
the rfcs http://http://tools.ietf.org/rfc/index
use the latest rfc2307bis rfc draft http://http://tools.ietf.org/html/draft-howard-rfc2307bis-02
the docs & man pages for your favorite nss software padls old nss suite arthur de jonngs suite (nss-pam-ldapd) and finaly openldaps nssov contrib modul
> ----- Original Message ----- > > From: "Dieter Klünter" <dieter@dkluenter.de> > To: openldap-technical@openldap.org > Sent: Friday, February 21, 2014 10:55:58 PM > So I've read, however, there is very little documentation on > implementation, at least that I've been able to find. Subject: Re: > strategy for getting groupOfNames (AD) and posixAccount (Unix) to > coexist? > > Am Fri, 21 Feb 2014 11:14:12 -0800 (PST) > > schrieb Jefferson Davis <jdavis@standard.k12.ca.us>: > > This has been beating me like a red-headed stepchild... > > > > In the AD world, groupOfNames is expected (in combination with the > > member attribute, provides for reverse group resolution, ie users > > by group membership AND groups by member inclusion). > > This can be achieved by overlay memberOf, man slapo-memberof(5). > > > On the unix side of the fence, groups REQUIRE a gidNumber in order > > to resolve group membership, using posixGroup structural OC in > > conjunction with memberUID. That, using posixGroup structural OC, is true for the quite old and obsolet nis schema.
> The rfc2307bis.schema provides auxiliary object classes to solve > this. In addition you may use the groupOfNames objectclass. or the groupOfMembers objectclass from draft-howard-rfc2307bis-02, because this oc supports empty groups and has ordering rules for uidnumber/gidnumber
> > In attempting to future-proof our ldap services, and to accommodate > > the AD-Focused nature of commercial products, I'm attempting to get > > this to all work automatically, ie use the same group setup for > > both (probably naive and ill-advised?). Windows groups and unix groups are not the same thing. So, that you have issues with them is quite normal.
> > But you CANNOT have > > multiple structural objectclasses in a single entry. So these > > requirements put group structures in direct opposition of one > > another. Only right for nis schema and rf2307 schems, use rfc2307bis (latest version).
> > Has anyone resolved this successfully, and if so, how? Overlays > > (which ones, examples)? Schema mods (examples?) > > > > Splitting groups off as unix groups vs windows groups (sync could > > get ugly) and could run into other issues with respect to file and > > dir permissions. > > > > I also need to avoid breaking smbldap-tools, which at the moment > > appears NOT to support the groupofnames model. Good joke, smbldap-tools was designed for today unsupported samba versions. Use samba-ad and forget smbldap-tools forever.
> > Building this on CentOS 6, OpenLDAP 2.4.23-34, and migrating from > > older OpenLDAP version. Use a recent version of openldap, not this old stuff. If you must use the CentOS 6 release of openldap, this list is not yours.
> > I'm somewhat open to considering a > > different LDAP service (389/Apache/OpenDJ) though I've found java > > to be a resource pig in the extreme, and would prefer to avoid if > > possible. Use perls NET::LDAP modul.
> > If you have this working I would love to see the relevant > > configuration files. > > -Dieter