Hi to all,
two years ago I tried to use dynamic groups as Posix-groups see post: https://www.openldap.net/lists/openldap-technical/201911/msg00028.html
Now I tried it again with OpenLDAP 2.6 and the attribute memberUID is still not showing up. Is it still not possible to search for memberUid?
@Quanah You wrote: There's work to change this behavior (See ITS#9121) for OpenLDAP 2.5.
Is the work on it still in progress?
Stefan
--On Thursday, December 30, 2021 4:08 PM +0100 Stefan Kania stefan@kania-online.de wrote:
Hi to all,
two years ago I tried to use dynamic groups as Posix-groups see post: https://www.openldap.net/lists/openldap-technical/201911/msg00028.html
Now I tried it again with OpenLDAP 2.6 and the attribute memberUID is still not showing up. Is it still not possible to search for memberUid?
@Quanah You wrote: There's work to change this behavior (See ITS#9121) for OpenLDAP 2.5.
Is the work on it still in progress?
LDAP groups are defined by DNs, which are unambiguous. memberUID values are ambiguous and not usuable for defining LDAP groups.
There are 3 different objectClasses you can trivially use for defining groups in LDAP:
groupOfNames (uses member attribute, from core.schema) groupOfUniqueNames (uses uniqueMember attribute, from core.schema) groupfOfMembers (Uses member attribute, from rfc2307bis.schema)
In general, "memberUID" is for use with posix groups (NOT LDAP groups). But again, it's generally deficient since it cannot discern between two different entries with the same UID. I.e.:
dn: uid=joe,ou=employees,dc=example,dc=com uid: joe
dn: uid=joe,ou=students,dc=example,dc=com uid: joe
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 1/3/22 18:03, Quanah Gibson-Mount wrote:
In general, "memberUID" is for use with posix groups (NOT LDAP groups). But again, it's generally deficient since it cannot discern between two different entries with the same UID. I.e.:
dn: uid=joe,ou=employees,dc=example,dc=com uid: joe
dn: uid=joe,ou=students,dc=example,dc=com uid: joe
But slapo-unique could be used to enforce uniqueness of 'uid' attribute.
Ciao, Michael.
--On Monday, January 3, 2022 6:14 PM +0100 Michael Ströder michael@stroeder.com wrote:
On 1/3/22 18:03, Quanah Gibson-Mount wrote:
In general, "memberUID" is for use with posix groups (NOT LDAP groups). But again, it's generally deficient since it cannot discern between two different entries with the same UID. I.e.:
dn: uid=joe,ou=employees,dc=example,dc=com uid: joe
dn: uid=joe,ou=students,dc=example,dc=com uid: joe
But slapo-unique could be used to enforce uniqueness of 'uid' attribute.
It could, but it still doesn't fix the fact that *LDAP* groups are made up of DNs, not random attribute:value pairs.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Am 03.01.22 um 18:19 schrieb Quanah Gibson-Mount:
--On Monday, January 3, 2022 6:14 PM +0100 Michael Ströder michael@stroeder.com wrote:
On 1/3/22 18:03, Quanah Gibson-Mount wrote:
In general, "memberUID" is for use with posix groups (NOT LDAP groups). But again, it's generally deficient since it cannot discern between two different entries with the same UID. I.e.:
dn: uid=joe,ou=employees,dc=example,dc=com uid: joe
dn: uid=joe,ou=students,dc=example,dc=com uid: joe
But slapo-unique could be used to enforce uniqueness of 'uid' attribute.
It could, but it still doesn't fix the fact that *LDAP* groups are made up of DNs, not random attribute:value pairs.
--Quanah
That's why I build my own objectClass for possixAccount and PosixGroup: --------------- dn: cn=stkaPosixExtension,cn=schema,cn=config objectClass: olcSchemaConfig cn: stkaPosixExtension olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.1 NAME 'stkaPosixGroup' DESC 'advanced PosixGroup for dynamic use' SUP top AUXILIARY MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.2 NAME 'stkaPosixAccount' DESC 'advanced PosixAccount for dynamic use' SUP posixAccount AUXILIARY MAY ( memberUID ) )
--------------- I can see the group with "getent groups" I use sssd on the client with the following domain configuration: -------------- [domain/EXAMPLE] ldap_schema=rfc2307 ldap_uri = ldap_search_base=dc=example,dc=net id_provider=ldap auth_provider=krb5 chpass_provider = krb5 krb5_realm = EXAMPLE.NET dns_discovery_domain = EXAMPLE.NET krb5_server = ldap_sasl_mech =GSSAPI ldap_sasl_authid = sssd-user ldap_krb5_keytab = /etc/sssd/sssd-user.keytab ldap_chpass_uri = ldap://ldap01.example.net:389 cache_credentials = True ldap_tls_cacertdir = /etc/ssl/zertifikate/demoCA ldap_tls_cacert = /etc/ssl/zertifikate/demoCA/cacert.pem ldap_id_use_start_tls = True enumerate = TRUE ldap_group_object_class = PosixGroup ldap_group_object_class_alt = stkaPosixGroup
--------------
The parameter "enumerate = TRUE" is for testing only
I see the group with "getent group" but the strange thing is, sometimes with all members and sometimes with an empty memberlist.
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, January 3, 2022 8:13 PM +0100 Stefan Kania stefan@kania-online.de wrote:
That's why I build my own objectClass for possixAccount and PosixGroup:
Those are still posixGroups not LDAP groups. Your question was about dynlist, which is purely for LDAP groups.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 1/3/22 20:13, Stefan Kania wrote:
That's why I build my own objectClass for possixAccount and PosixGroup: [..] olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.2 NAME 'stkaPosixAccount' DESC 'advanced PosixAccount for dynamic use' SUP posixAccount AUXILIARY MAY ( memberUID ) )
'memberUid' is RFC 2307 attribute in 'posixGroup' entries.
Not sure what semantics you want to define. But IMO the above does not make sense at all and you likely will run into funny effects with some LDAP clients which interpret these attributes in a certain way.
I can see the group with "getent groups" I use sssd on the client
This is rather unrelated to your original question. An NSS service (e.g. sssd) can do whatever it likes to build password and group maps.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Quanah Gibson-Mount -
Stefan Kania