[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?

To: harry jede <harry.jede@arcor.de>
Subject: Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
From: Jefferson Davis <jdavis@standard.k12.ca.us>
Date: Wed, 26 Feb 2014 09:31:26 -0800 (PST)
Cc: openldap-technical@openldap.org
In-reply-to: <201402261355.26644.harry.jede@arcor.de>

thanks very much...  started digging knot the official admin guide again yesterday.

I'm paranoid about breaking the automation we've been able to achieve with this so far...

----- Original Message -----
From: harry jede &lt;harry.jede@arcor.de&gt;
To: openldap-technical@openldap.org
Sent: Wed, 26 Feb 2014 04:55:26 -0800 (PST)
Subject: Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?

Jefferson Davis wrote:
&gt; So I've read, however, there is very little documentation on
&gt; implementation, at least that I've been able to find.
There are tons of information about nis, rf2307 and/or rfc207bis.
However it is easy to search but often hard to find.

So before you search the web, try using the right docs:
openldap admin guide &amp; faq
http://http://www.openldap.org/

openldap man pages

openldap test suite ( in source tgz). Yes, read the sources.

the archive of this mailing list

the rfcs
http://http://tools.ietf.org/rfc/index

use the latest rfc2307bis rfc draft
http://http://tools.ietf.org/html/draft-howard-rfc2307bis-02

the docs &amp; man pages for your favorite nss software
padls old nss suite
arthur de jonngs suite (nss-pam-ldapd)
and finaly
openldaps nssov contrib modul

&gt; ----- Original Message -----
&gt; 
&gt; From: "Dieter KlÃnter" &lt;dieter@dkluenter.de&gt;
&gt; To: openldap-technical@openldap.org
&gt; Sent: Friday, February 21, 2014 10:55:58 PM
&gt; So I've read, however, there is very little documentation on
&gt; implementation, at least that I've been able to find. Subject: Re:
&gt; strategy for getting groupOfNames (AD) and posixAccount (Unix) to
&gt; coexist?
&gt; 
&gt; Am Fri, 21 Feb 2014 11:14:12 -0800 (PST)
&gt; 
&gt; schrieb Jefferson Davis &lt;jdavis@standard.k12.ca.us&gt;:
&gt; &gt; This has been beating me like a red-headed stepchild...
&gt; &gt; 
&gt; &gt; In the AD world, groupOfNames is expected (in combination with the
&gt; &gt; member attribute, provides for reverse group resolution, ie users
&gt; &gt; by group membership AND groups by member inclusion).
&gt; 
&gt; This can be achieved by overlay memberOf, man slapo-memberof(5).
&gt; 
&gt; &gt; On the unix side of the fence, groups REQUIRE a gidNumber in order
&gt; &gt; to resolve group membership, using posixGroup structural OC in
&gt; &gt; conjunction with memberUID.
That, using posixGroup structural OC, is true for the quite old and 
obsolet nis schema.

&gt; The rfc2307bis.schema provides auxiliary object classes to solve
&gt; this. In addition you may use the groupOfNames objectclass.
or the groupOfMembers objectclass from draft-howard-rfc2307bis-02,
because this oc supports empty groups and has ordering rules for 
uidnumber/gidnumber

&gt; &gt; In attempting to future-proof our ldap services, and to accommodate
&gt; &gt; the AD-Focused nature of commercial products, I'm attempting to get
&gt; &gt; this to all work automatically, ie use the same group setup for
&gt; &gt; both (probably naive and ill-advised?).
Windows groups and unix groups are not the same thing. So, that you have 
issues with them is quite normal.

&gt; &gt; But you CANNOT have
&gt; &gt; multiple structural objectclasses in a single entry. So these
&gt; &gt; requirements put group structures in direct opposition of one
&gt; &gt; another.
Only right for nis schema and rf2307 schems, use rfc2307bis (latest 
version).

&gt; &gt; Has anyone resolved this successfully, and if so, how? Overlays
&gt; &gt; (which ones, examples)? Schema mods (examples?)
&gt; &gt; 
&gt; &gt; Splitting groups off as unix groups vs windows groups (sync could
&gt; &gt; get ugly) and could run into other issues with respect to file and
&gt; &gt; dir permissions.
&gt; &gt; 
&gt; &gt; I also need to avoid breaking smbldap-tools, which at the moment
&gt; &gt; appears NOT to support the groupofnames model.
Good joke,
smbldap-tools was designed for today unsupported samba versions.
Use samba-ad and forget smbldap-tools forever.

&gt; &gt; Building this on CentOS 6, OpenLDAP 2.4.23-34, and migrating from
&gt; &gt; older OpenLDAP version.
Use a recent version of openldap, not this old stuff. If you must use 
the CentOS 6 release of openldap, this list is not yours.

&gt; &gt; I'm somewhat open to considering a
&gt; &gt; different LDAP service (389/Apache/OpenDJ) though I've found java
&gt; &gt; to be a resource pig in the extreme, and would prefer to avoid if
&gt; &gt; possible.
Use perls NET::LDAP modul.

&gt; &gt; If you have this working I would love to see the relevant
&gt; &gt; configuration files.
&gt; 
&gt; -Dieter

-- 

Harry Jede

-- 

Jefferson K Davis 
Technology and Information Systems Manager 
Standard School District 
1200 North Chester Ave 
Bakersfield, CA 93308 
661.392.2110 ext 120 (office) 
http://district.standard.k12.ca.us 

District Users:  Click here to report technology issues

References:
- Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
  - From: harry.jede@arcor.de

Prev by Date: memberOf values case
Next by Date: Re: memberOf values case
Index(es):
- Chronological
- Thread