[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: OpenLDAP configuration for ldap-group authentication on Apache2.x
Loren,
You need to replace the "nis.schema" schema file with a "rfc2307bis.schema" file because both, posixGroup and groupOfnames are STRUCTURAL classes. Using rfc2307 schema, one object class becomes auxiliary and allows both to co-exist within the same object declaration.
OTOH, see if you can configure mod_authnz_ldap to look for "member" attribute instead of "memberUID". This will obviate the need for having posixGroup in object instantiation.
Hope this helps,
Siddhartha
From: openldap-technical-bounces+sjain=silverspringnet.com@openldap.org [mailto:openldap-technical-bounces+sjain=silverspringnet.com@openldap.org] On Behalf Of Loren Cahlander
Sent: Tuesday, June 01, 2010 9:05 AM
To: openldap-technical@openldap.org
Cc: Loren Cahlander
Subject: OpenLDAP configuration for ldap-group authentication on Apache2.x
Hello folks,
I am working with the following configuration under Ubuntu:
||/ Name Version Description
+++-=================================-====================================-============================================
ii apache2 2.2.9-7ubuntu3.6 Apache HTTP Server metapackage
ii apache2-doc 2.2.9-7ubuntu3.6 Apache HTTP Server documentation
ii apache2-mpm-prefork 2.2.9-7ubuntu3.6 Apache HTTP Server - traditional non-threade
ii apache2-utils 2.2.9-7ubuntu3.6 utility programs for webservers
ii apache2.2-common 2.2.9-7ubuntu3.6 Apache HTTP Server common files
ii ldap-account-manager 2.3.0-1 webfrontend for managing accounts in an LDAP
ii ldap-utils 2.4.11-0ubuntu6.2 OpenLDAP utilities
ii libldap-2.4-2 2.4.11-0ubuntu6.2 OpenLDAP libraries
ii slapd 2.4.11-0ubuntu6.2 OpenLDAP server (slapd)
ii subversion 1.5.1dfsg1-1ubuntu2.1 Advanced version control system
ii subversion-tools 1.5.1dfsg1-1ubuntu2.1 Assorted tools related to Subversion
And need to have groups being both posixGroup and groupOfUniqueNames. Far below is my configuration. If I try loading a group with with following:
dn: cn=my-dba,ou=Groups,dc=exist-db, dc=org
gidNumber: 9999
objectClass: posixGroup
objectClass: groupOfUniqueNames
uniqueMember: uid=lcahlander,ou=Users,dc=exist-db,dc=org
cn: my-dba
I get the following error:
ldap_add: Object class violation (65)
additional info: invalid structural object class chain (posixGroup/groupOfUniqueNames)
Does anyone have a suggestion for how to deal with this error? I am looking for a simple configuration that will work with the Apache Module mod_authnz_ldap to authenticate a user in Apache using "Require ldap-group".
Thank you,
Loren
INSTALLING LDAP
LDAP is the Lightweight Directory Access Protocol. This cental database of accounts, logins and groups will be used by all the systems including the eXist database, the subversion server and the e-mail system. Note that the roles in the role-based access control system are stored using the role manager
These commands will install a local LDAP server and a web based administrative application to manage groups and users within this virtual machine.
sudo apt-get install slapd ldap-utils ldap-account-manager
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
vi /home/exist/db.ldif
and insert the following listing:
01.###########################################################
02.# DATABASE SETUP
03.###########################################################
04.
05.# Load modules for database type
06.dn: cn=module{0},cn=config
07.objectClass: olcModuleList
08.cn: module{0}
09.olcModulePath: /usr/lib/ldap
10.olcModuleLoad: {0}back_hdb
11.
12.# Create directory database
13.dn: olcDatabase={1}hdb,cn=config
14.objectClass: olcDatabaseConfig
15.objectClass: olcHdbConfig
16.olcDatabase: {1}hdb
17.olcDbDirectory: /var/lib/ldap
18.olcSuffix: dc=exist-db,dc=org
19.olcRootDN: cn=admin,dc=exist-db,dc=org
20.olcRootPW: 1234
21.olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exist-db,dc=org" write by anonymous auth by self write by * none
22.olcAccess: {1}to dn.base="" by * read
23.olcAccess: {2}to * by dn="cn=admin,dc=exist-db,dc=org" write by * read
24.olcLastMod: TRUE
25.olcDbCheckpoint: 512 30
26.olcDbConfig: {0}set_cachesize 0 2097152 0
27.olcDbConfig: {1}set_lk_max_objects 1500
28.olcDbConfig: {2}set_lk_max_locks 1500
29.olcDbConfig: {3}set_lk_max_lockers 1500
30.olcDbIndex: uid pres,eq
31.olcDbIndex: cn,sn,mail pres,eq,approx,sub
32.olcDbIndex: objectClass eq
33.
34.
35.###########################################################
36.# DEFAULTS MODIFICATION
37.###########################################################
38.# Some of the defaults need to be modified in order to allow
39.# remote access to the LDAP config. Otherwise only root
40.# will have administrative access.
41.
42.dn: cn=config
43.changetype: modify
44.delete: olcAuthzRegexp
45.
46.dn: olcDatabase={-1}frontend,cn=config
47.changetype: modify
48.delete: olcAccess
49.
50.dn: olcDatabase={0}config,cn=config
51.changetype: modify
52.add: olcRootPW
53.olcRootPW: {CRYPT}7hzU8RaZxaGi2
54.
55.dn: olcDatabase={0}config,cn=config
56.changetype: modify
57.delete: olcAccess
Note
Note that this file has LDAP administration password (identified by olcRootPW) in it with the default value of "1234". If you want to change this put in your own password.
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /home/exist/db.ldif
sudo vi /home/exist/base.ldif
and insert the following:
01.dn: dc=exist-db,dc=org
02.objectClass: dcObject
03.objectClass: organization
04.o: exist-db.org
05.dc: exist-db
06.description: Tree root
07.
08.dn: cn=admin,dc=exist-db,dc=org
09.objectClass: simpleSecurityObject
10.objectClass: organizationalRole
11.cn: admin
12.userPassword: admin123
13.description: LDAP administrator
14.
15.dn: ou=Users,dc=exist-db,dc=org
16.objectClass: organizationalUnit
17.ou: Users
18.
19.dn: ou=Groups,dc=exist-db,dc=org
20.objectClass: organizationalUnit
21.ou: Groups
22.
23.dn: uid=admin,ou=Users,dc=exist-db,dc=org
24.sn: Administrator
25.uidNumber: 1
26.gidNumber: 1
27.objectClass: person
28.objectClass: organizationalPerson
29.objectClass: inetOrgPerson
30.objectClass: posixAccount
31.uid: admin
32.cn: admin
33.homeDirectory: /
34.
35.dn: uid=guest,ou=Users,dc=exist-db,dc=org
36.sn: guest
37.uidNumber: 2
38.gidNumber: 300
39.objectClass: person
40.objectClass: organizationalPerson
41.objectClass: inetOrgPerson
42.objectClass: posixAccount
43.uid: guest
44.cn: guest
45.homeDirectory: /guest
46.
47.dn: cn=dba,ou=Groups,dc=exist-db,dc=org
48.objectClass: posixGroup
49.description: dba
50.gidNumber: 1
51.cn: dba
52.
53.dn: cn=guest,ou=Groups,dc=exist-db,dc=org
54.objectClass: posixGroup
55.description: guest
56.gidNumber: 300
57.cn: guest
58.memberUid: admin
59.
60.dn: cn=svn-update,ou=Groups,dc=exist-db,dc=org
61.objectClass: posixGroup
62.description: SVN Update
63.gidNumber: 400
64.cn: svn-update
65.
66.dn: cn=svn-readonly,ou=Groups,dc=exist-db,dc=org
67.objectClass: posixGroup
68.description: SVN Read Only
69.gidNumber: 500
70.cn: svn-readonly
71.
72.dn: cn=backup-access,ou=Groups,dc=exist-db,dc=org
73.objectClass: posixGroup
74.description: System backup page access.
75.gidNumber: 600
76.cn: backup-access
Note
Note that this file has database administration password in it with the default value of "admin123". If you want to change this put in your own password into the correct location..
You can now load this configuration file into the LDAP database with the ldapadd command.:
sudo ldapadd -x -D cn=admin,dc=exist-db,dc=org -W -f /home/exist/base.ldif
When prompted for the password, use "1234" unless you changed the value in db.ldif.