OpenLDAP configuration for ldap-group authentication on Apache2.x

[Loren Cahlander <loren.cahlander@gmail.com>]

Hello folks,

I am working with the following configuration under Ubuntu:

||/ Name                              Version                              Description

+++-=================================-====================================-============================================

ii  apache2                           2.2.9-7ubuntu3.6                     Apache HTTP Server metapackage

ii  apache2-doc                       2.2.9-7ubuntu3.6                     Apache HTTP Server documentation

ii  apache2-mpm-prefork               2.2.9-7ubuntu3.6                     Apache HTTP Server - traditional non-threade

ii  apache2-utils                     2.2.9-7ubuntu3.6                     utility programs for webservers

ii  apache2.2-common                  2.2.9-7ubuntu3.6                     Apache HTTP Server common files

ii  ldap-account-manager              2.3.0-1                              webfrontend for managing accounts in an LDAP

ii  ldap-utils                        2.4.11-0ubuntu6.2                    OpenLDAP utilities

ii  libldap-2.4-2                     2.4.11-0ubuntu6.2                    OpenLDAP libraries

ii  slapd                             2.4.11-0ubuntu6.2                    OpenLDAP server (slapd)

ii  subversion                        1.5.1dfsg1-1ubuntu2.1                Advanced version control system

ii  subversion-tools                  1.5.1dfsg1-1ubuntu2.1                Assorted tools related to Subversion

And need to have groups being both posixGroup and groupOfUniqueNames.  Far below is my configuration.  If I try loading a group with with following:

dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org

gidNumber: 9999

objectClass: posixGroup

objectClass: groupOfUniqueNames

uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org

cn: my-dba

I get the following error:

ldap_add: Object class violation (65)

additional info: invalid structural object class chain (posixGroup/groupOfUniqueNames)

Does anyone have a suggestion for how to deal with this error?  I am looking for a simple configuration that will work with the Apache Module mod_authnz_ldap to authenticate a user in Apache using "Require ldap-group".

Thank you,

Loren

 Installing LDAP

LDAP is the Lightweight Directory Access Protocol. This cental database of accounts, logins and groups will be used by all the systems including the eXist database, the subversion server and the e-mail system. Note that the roles in the role-based access control system are stored using the role manager

These commands will install a local LDAP server and a web based administrative application to manage groups and users within this virtual machine.

sudo apt-get install slapd ldap-utils ldap-account-manager

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

vi /home/exist/db.ldif

and insert the following listing:

01.###########################################################

02.# DATABASE SETUP

03.###########################################################

04. 

05.# Load modules for database type

06.dn: cn=module{0},cn=config

07.objectClass: olcModuleList

08.cn: module{0}

09.olcModulePath: /usr/lib/ldap

10.olcModuleLoad: {0}back_hdb

11. 

12.# Create directory database

13.dn: olcDatabase={1}hdb,cn=config

14.objectClass: olcDatabaseConfig

15.objectClass: olcHdbConfig

16.olcDatabase: {1}hdb

17.olcDbDirectory: /var/lib/ldap

18.olcSuffix: dc=exist-db,dc=org

19.olcRootDN: cn=admin,dc=exist-db,dc=org

20.olcRootPW: 1234

21.olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exist-db,dc=org" write by anonymous auth by self write by * none

22.olcAccess: {1}to dn.base="" by * read

23.olcAccess: {2}to * by dn="cn=admin,dc=exist-db,dc=org" write by * read

24.olcLastMod: TRUE

25.olcDbCheckpoint: 512 30

26.olcDbConfig: {0}set_cachesize 0 2097152 0

27.olcDbConfig: {1}set_lk_max_objects 1500

28.olcDbConfig: {2}set_lk_max_locks 1500

29.olcDbConfig: {3}set_lk_max_lockers 1500

30.olcDbIndex: uid pres,eq

31.olcDbIndex: cn,sn,mail pres,eq,approx,sub

32.olcDbIndex: objectClass eq

33. 

34. 

35.###########################################################

36.# DEFAULTS MODIFICATION

37.###########################################################

38.# Some of the defaults need to be modified in order to allow

39.# remote access to the LDAP config. Otherwise only root

40.# will have administrative access.

41. 

42.dn: cn=config

43.changetype: modify

44.delete: olcAuthzRegexp

45. 

46.dn: olcDatabase={-1}frontend,cn=config

47.changetype: modify

48.delete: olcAccess

49. 

50.dn: olcDatabase={0}config,cn=config

51.changetype: modify

52.add: olcRootPW

53.olcRootPW: {CRYPT}7hzU8RaZxaGi2

54. 

55.dn: olcDatabase={0}config,cn=config

56.changetype: modify

57.delete: olcAccess

Note

Note that this file has LDAP administration password (identified by olcRootPW) in it with the default value of "1234". If you want to change this put in your own password.

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /home/exist/db.ldif

sudo vi /home/exist/base.ldif

and insert the following:

01.dn: dc=exist-db,dc=org

02.objectClass: dcObject

03.objectClass: organization

04.o: exist-db.org

05.dc: exist-db

06.description: Tree root

07. 

08.dn: cn=admin,dc=exist-db,dc=org

09.objectClass: simpleSecurityObject

10.objectClass: organizationalRole

11.cn: admin

12.userPassword: admin123

13.description: LDAP administrator

14. 

15.dn: ou=Users,dc=exist-db,dc=org

16.objectClass: organizationalUnit

17.ou: Users

18. 

19.dn: ou=Groups,dc=exist-db,dc=org

20.objectClass: organizationalUnit

21.ou: Groups

22. 

23.dn: uid=admin,ou=Users,dc=exist-db,dc=org

24.sn: Administrator

25.uidNumber: 1

26.gidNumber: 1

27.objectClass: person

28.objectClass: organizationalPerson

29.objectClass: inetOrgPerson

30.objectClass: posixAccount

31.uid: admin

32.cn: admin

33.homeDirectory: /

34. 

35.dn: uid=guest,ou=Users,dc=exist-db,dc=org

36.sn: guest

37.uidNumber: 2

38.gidNumber: 300

39.objectClass: person

40.objectClass: organizationalPerson

41.objectClass: inetOrgPerson

42.objectClass: posixAccount

43.uid: guest

44.cn: guest

45.homeDirectory: /guest

46. 

47.dn: cn=dba,ou=Groups,dc=exist-db,dc=org

48.objectClass: posixGroup

49.description: dba

50.gidNumber: 1

51.cn: dba

52. 

53.dn: cn=guest,ou=Groups,dc=exist-db,dc=org

54.objectClass: posixGroup

55.description: guest

56.gidNumber: 300

57.cn: guest

58.memberUid: admin

59. 

60.dn: cn=svn-update,ou=Groups,dc=exist-db,dc=org

61.objectClass: posixGroup

62.description: SVN Update

63.gidNumber: 400

64.cn: svn-update

65. 

66.dn: cn=svn-readonly,ou=Groups,dc=exist-db,dc=org

67.objectClass: posixGroup

68.description: SVN Read Only

69.gidNumber: 500

70.cn: svn-readonly

71. 

72.dn: cn=backup-access,ou=Groups,dc=exist-db,dc=org

73.objectClass: posixGroup

74.description: System backup page access.

75.gidNumber: 600

76.cn: backup-access

Note

Note that this file has database administration password in it with the default value of "admin123". If you want to change this put in your own password into the correct location..

You can now load this configuration file into the LDAP database with the ldapadd command.:

sudo ldapadd -x -D cn=admin,dc=exist-db,dc=org -W -f /home/exist/base.ldif

When prompted for the password, use "1234" unless you changed the value in db.ldif.