I'm using OpenLDAP on Ubuntu 12.04. The installation of OpenLDAP automatically installs the schemas for core, cosine, nis and inetorgperson.
In the nis schema, posixGroup is defined as structural but I need it to be auxiliary.
Is it possible to change that definition? My database is completely empty - I've literally uninstalled OpenLDAP and then reinstalled it in an attempt to try and find a clean way of solving my problem.
Alternatively - and perhaps better since I'm a bit worried about changing *just* that one thing - is it possible for me to export the slapd configuration in a way that I can then edit the configuration to replace nis with rfc2037bis and create everything afresh? Unfortunately, because the installation on Ubuntu does all of the slapd configuration automatically, I don't know what parameters are being specified.
Many thanks for any help or suggestions provided.
Philip
--On Wednesday, January 09, 2013 4:21 PM +0000 Philip Colmer philip.colmer@linaro.org wrote:
Alternatively - and perhaps better since I'm a bit worried about changing *just* that one thing - is it possible for me to export the slapd configuration in a way that I can then edit the configuration to replace nis with rfc2037bis and create everything afresh? Unfortunately, because the installation on Ubuntu does all of the slapd configuration automatically, I don't know what parameters are being specified.
Use slapcat to export it. Use slapadd to import it. See the related man pages.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On Wed, Jan 09, 2013 at 04:21:43PM +0000, Philip Colmer wrote:
I'm using OpenLDAP on Ubuntu 12.04. The installation of OpenLDAP automatically installs the schemas for core, cosine, nis and inetorgperson.
In the nis schema, posixGroup is defined as structural but I need it to be auxiliary.
It is a very very bad idea to change the definitions of standard types. There may be code out there that will break in interesting and unpredictable ways. I would agree that many of the standard types seem a bit haphazard these days, but they are still standard...
Why do you 'need it to be auxiliary'?
Would it be better to say that you want to make some entries that have gidNumber and memberUid and some other attributes that are not in the posixGroup list? If so, why not define your own auxiliary class that allows you to add the other attributes to a posixGroup entry?
If you really cannot add a new aux class to the entries concerned, you could consider using a DIT Content Rule to permit more attributes. This would be standards-conformant, but unfortunately many LDAP browsers don't understand it so editing such entries could be a bit awkward.
Andrew
Hi Andrew (and the rest of the group!)
Perhaps it might help if I explained what I was trying to accomplish then, if I've made any mistakes in my thinking, they can be corrected :-).
What I want to do is use the LDAP store for two purposes: Linux authentication and syncing with Google Apps for profile/group information and SSO. To that end, and specifically focussing on groups, I need a group in LDAP to serve two purposes: to act as a security group (i.e. it needs a gidNumber and be a posixGroup so that Linux will use it for group membership and ACLs) and to act as an email group (at a minimum have a list of members, an owner, a description and an email address).
In my approach to the choice of classes to use here, I find myself being somewhat constrained by the tools I want to use. Atlassian Crowd is being used as the means of providing Google SSO and OpenID functionality. When it comes to groups, Crowd "prefers" groupOfNames or groupOfUniqueNames. Although I can reconfigure Crowd to "see" posixGroup entries instead of groupOfUniqueNames entries, it doesn't see the members, presumably because they are UIDs and not DNs.
I'm also using LDAP Account Manager as the primary tool to allow administrators and staff manage information stored in LDAP. For group management, it supports both posixGroup and groupOfUniqueNames.
I can, in theory at least, add extensibleObject to the groups defined as posixGroup so that I can then add description, displayName, mail and owner. That gives me a different problem when it comes to syncing the groups up to Google, though, because it also (like Crowd) seems to be expecting attribute values for members to be DNs.
So, I'm open to suggestions here. I thought I had a fairly straightforward requirement but the LDAP world doesn't seem to have anything that meets the requirement.
Thanks for any feedback.
Philip
On 9 January 2013 18:36, Andrew Findlay andrew.findlay@skills-1st.co.ukwrote:
On Wed, Jan 09, 2013 at 04:21:43PM +0000, Philip Colmer wrote:
I'm using OpenLDAP on Ubuntu 12.04. The installation of OpenLDAP
automatically
installs the schemas for core, cosine, nis and inetorgperson.
In the nis schema, posixGroup is defined as structural but I need it to
be
auxiliary.
It is a very very bad idea to change the definitions of standard types. There may be code out there that will break in interesting and unpredictable ways. I would agree that many of the standard types seem a bit haphazard these days, but they are still standard...
Why do you 'need it to be auxiliary'?
Would it be better to say that you want to make some entries that have gidNumber and memberUid and some other attributes that are not in the posixGroup list? If so, why not define your own auxiliary class that allows you to add the other attributes to a posixGroup entry?
If you really cannot add a new aux class to the entries concerned, you could consider using a DIT Content Rule to permit more attributes. This would be standards-conformant, but unfortunately many LDAP browsers don't understand it so editing such entries could be a bit awkward.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
On Thu, Jan 10, 2013 at 10:51:41AM +0000, Philip Colmer wrote:
What I want to do is use the LDAP store for two purposes: Linux authentication and syncing with Google Apps for profile/group information and SSO. To that end, and specifically focussing on groups, I need a group in LDAP to serve two purposes: to act as a security group (i.e. it needs a gidNumber and be a posixGroup so that Linux will use it for group membership and ACLs) and to act as an email group (at a minimum have a list of members, an owner, a description and an email address).
In my approach to the choice of classes to use here, I find myself being somewhat constrained by the tools I want to use. Atlassian Crowd is being used as the means of providing Google SSO and OpenID functionality. When it comes to groups, Crowd "prefers" groupOfNames or groupOfUniqueNames. Although I can reconfigure Crowd to "see" posixGroup entries instead of groupOfUniqueNames entries, it doesn't see the members, presumably because they are UIDs and not DNs.
I'm also using LDAP Account Manager as the primary tool to allow administrators and staff manage information stored in LDAP. For group management, it supports both posixGroup and groupOfUniqueNames.
Can you persuade that tool to work with other classes?
I can, in theory at least, add extensibleObject to the groups defined as posixGroup so that I can then add description, displayName, mail and owner. That gives me a different problem when it comes to syncing the groups up to Google, though, because it also (like Crowd) seems to be expecting attribute values for members to be DNs.
I think you would do best to use RFC2307bis if all of your tools can work with it. Any recent Linux distro should have NSS and PAM libraries that accept DN-style group membership, so I would use 'member' rather than the 'memberUID' attribute for groups. You may need to adjust some settings in /etc/ldap.conf or similar.
2307bis prefers the use of groupOfMembers as the structural class. This is better than groupOfNames or groupOfUniqueNames because it permits empty groups.
In 2307bis, posixGroup is AUXILIARY [amusing, given my earlier comments on changing standard stuff :-)]. So you could have group entries that are both groupOfMembers and posixGroup. If your tools really cannot cope with groupOfMembers then you could consider groupOfNames with posixGroup, but you will then have to put a bogus member in each group to satisfy the definition of groupOfNames.
I would avoid using extensibleObject as that removes all the limits on what may be in an entry.
If you still need to add a mail address to your groups, you will also need to define an auxiliary class of your own to permit it.
Andrew
Hi Andrew
Thank you for your input. Unfortunately, that gives me a different problem because when you install OpenLDAP on Ubuntu 12.04, it automatically installs the nis schema, which clashes with the 2307bis schema, which is why I was originally trying to find a way of just changing the definition of posixGroup, since OpenLDAP won't allow you to remove schema definitions.
I've yet to figure out how to remove the installation that Ubuntu does and put in a replacement installation that uses 2307bis instead of nis.
I think, given issues I'm hitting elsewhere, I *may* end up using Google to manage groups that are email-only, and write a script that reads all of the posixGroup entries and creates equivalent groupOfUniqueNames entries which can then by synced up to Google so that I have at least got email versions of the security groups. This is probably, in the long term, a much cleaner way of dealing with things.
Thank you, though, for all of the feedback.
Regards
Philip
On 10 January 2013 12:37, Andrew Findlay andrew.findlay@skills-1st.co.ukwrote:
On Thu, Jan 10, 2013 at 10:51:41AM +0000, Philip Colmer wrote:
What I want to do is use the LDAP store for two purposes: Linux
authentication
and syncing with Google Apps for profile/group information and SSO. To
that
end, and specifically focussing on groups, I need a group in LDAP to
serve two
purposes: to act as a security group (i.e. it needs a gidNumber and be a posixGroup so that Linux will use it for group membership and ACLs) and
to act
as an email group (at a minimum have a list of members, an owner, a
description
and an email address).
In my approach to the choice of classes to use here, I find myself being somewhat constrained by the tools I want to use. Atlassian Crowd is
being used
as the means of providing Google SSO and OpenID functionality. When it
comes to
groups, Crowd "prefers" groupOfNames or groupOfUniqueNames. Although I
can
reconfigure Crowd to "see" posixGroup entries instead of
groupOfUniqueNames
entries, it doesn't see the members, presumably because they are UIDs
and not
DNs.
I'm also using LDAP Account Manager as the primary tool to allow
administrators
and staff manage information stored in LDAP. For group management, it
supports
both posixGroup and groupOfUniqueNames.
Can you persuade that tool to work with other classes?
I can, in theory at least, add extensibleObject to the groups defined as posixGroup so that I can then add description, displayName, mail and
owner.
That gives me a different problem when it comes to syncing the groups up
to
Google, though, because it also (like Crowd) seems to be expecting
attribute
values for members to be DNs.
I think you would do best to use RFC2307bis if all of your tools can work with it. Any recent Linux distro should have NSS and PAM libraries that accept DN-style group membership, so I would use 'member' rather than the 'memberUID' attribute for groups. You may need to adjust some settings in /etc/ldap.conf or similar.
2307bis prefers the use of groupOfMembers as the structural class. This is better than groupOfNames or groupOfUniqueNames because it permits empty groups.
In 2307bis, posixGroup is AUXILIARY [amusing, given my earlier comments on changing standard stuff :-)]. So you could have group entries that are both groupOfMembers and posixGroup. If your tools really cannot cope with groupOfMembers then you could consider groupOfNames with posixGroup, but you will then have to put a bogus member in each group to satisfy the definition of groupOfNames.
I would avoid using extensibleObject as that removes all the limits on what may be in an entry.
If you still need to add a mail address to your groups, you will also need to define an auxiliary class of your own to permit it.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
openldap-technical@openldap.org
-
Andrew Findlay -
Philip Colmer -
Quanah Gibson-Mount