[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?

Jefferson Davis wrote:
> So I've read, however, there is very little documentation on
> implementation, at least that I've been able to find.
There are tons of information about nis, rf2307 and/or rfc207bis.
However it is easy to search but often hard to find.

So before you search the web, try using the right docs:
openldap admin guide & faq
http://http://www.openldap.org/

openldap man pages

openldap test suite ( in source tgz). Yes, read the sources.

the archive of this mailing list

the rfcs
http://http://tools.ietf.org/rfc/index

use the latest rfc2307bis rfc draft
http://http://tools.ietf.org/html/draft-howard-rfc2307bis-02

the docs & man pages for your favorite nss software
padls old nss suite
arthur de jonngs suite (nss-pam-ldapd)
and finaly
openldaps nssov contrib modul
 
> ----- Original Message -----
> 
> From: "Dieter Klünter" <dieter@dkluenter.de>
> To: openldap-technical@openldap.org
> Sent: Friday, February 21, 2014 10:55:58 PM
> So I've read, however, there is very little documentation on
> implementation, at least that I've been able to find. Subject: Re:
> strategy for getting groupOfNames (AD) and posixAccount (Unix) to
> coexist?
> 
> Am Fri, 21 Feb 2014 11:14:12 -0800 (PST)
> 
> schrieb Jefferson Davis <jdavis@standard.k12.ca.us>:
> > This has been beating me like a red-headed stepchild...
> > 
> > In the AD world, groupOfNames is expected (in combination with the
> > member attribute, provides for reverse group resolution, ie users
> > by group membership AND groups by member inclusion).
> 
> This can be achieved by overlay memberOf, man slapo-memberof(5).
> 
> > On the unix side of the fence, groups REQUIRE a gidNumber in order
> > to resolve group membership, using posixGroup structural OC in
> > conjunction with memberUID.
That, using posixGroup structural OC, is true for the quite old and 
obsolet nis schema.
 
> The rfc2307bis.schema provides auxiliary object classes to solve
> this. In addition you may use the groupOfNames objectclass.
or the groupOfMembers objectclass from draft-howard-rfc2307bis-02,
because this oc supports empty groups and has ordering rules for 
uidnumber/gidnumber

> > In attempting to future-proof our ldap services, and to accommodate
> > the AD-Focused nature of commercial products, I'm attempting to get
> > this to all work automatically, ie use the same group setup for
> > both (probably naive and ill-advised?).
Windows groups and unix groups are not the same thing. So, that you have 
issues with them is quite normal.

> > But you CANNOT have
> > multiple structural objectclasses in a single entry. So these
> > requirements put group structures in direct opposition of one
> > another.
Only right for nis schema and rf2307 schems, use rfc2307bis (latest 
version).

> > Has anyone resolved this successfully, and if so, how? Overlays
> > (which ones, examples)? Schema mods (examples?)
> > 
> > Splitting groups off as unix groups vs windows groups (sync could
> > get ugly) and could run into other issues with respect to file and
> > dir permissions.
> > 
> > I also need to avoid breaking smbldap-tools, which at the moment
> > appears NOT to support the groupofnames model.
Good joke,
smbldap-tools was designed for today unsupported samba versions.
Use samba-ad and forget smbldap-tools forever.

> > Building this on CentOS 6, OpenLDAP 2.4.23-34, and migrating from
> > older OpenLDAP version.
Use a recent version of openldap, not this old stuff. If you must use 
the CentOS 6 release of openldap, this list is not yours.

> > I'm somewhat open to considering a
> > different LDAP service (389/Apache/OpenDJ) though I've found java
> > to be a resource pig in the extreme, and would prefer to avoid if
> > possible.
Use perls NET::LDAP modul.

> > If you have this working I would love to see the relevant
> > configuration files.
> 
> -Dieter


-- 

Harry Jede