Jefferson Davis wrote: > So I've read, however, there is very little documentation on > implementation, at least that I've been able to find. There are tons of information about nis, rf2307 and/or rfc207bis. However it is easy to search but often hard to find.
So before you search the web, try using the right docs: openldap admin guide & faq http://http://www.openldap.org/ openldap man pages openldap test suite ( in source tgz). Yes, read the sources. the archive of this mailing list the rfcs http://http://tools.ietf.org/rfc/index use the latest rfc2307bis rfc draft http://http://tools.ietf.org/html/draft-howard-rfc2307bis-02 the docs & man pages for your favorite nss software padls old nss suite arthur de jonngs suite (nss-pam-ldapd) and finaly openldaps nssov contrib modul > ----- Original Message ----- > > From: "Dieter Klünter" <die...@dkluenter.de> > To: openldap-technical@openldap.org > Sent: Friday, February 21, 2014 10:55:58 PM > So I've read, however, there is very little documentation on > implementation, at least that I've been able to find. Subject: Re: > strategy for getting groupOfNames (AD) and posixAccount (Unix) to > coexist? > > Am Fri, 21 Feb 2014 11:14:12 -0800 (PST) > > schrieb Jefferson Davis <jda...@standard.k12.ca.us>: > > This has been beating me like a red-headed stepchild... > > > > In the AD world, groupOfNames is expected (in combination with the > > member attribute, provides for reverse group resolution, ie users > > by group membership AND groups by member inclusion). > > This can be achieved by overlay memberOf, man slapo-memberof(5). > > > On the unix side of the fence, groups REQUIRE a gidNumber in order > > to resolve group membership, using posixGroup structural OC in > > conjunction with memberUID. That, using posixGroup structural OC, is true for the quite old and obsolet nis schema. > The rfc2307bis.schema provides auxiliary object classes to solve > this. In addition you may use the groupOfNames objectclass. or the groupOfMembers objectclass from draft-howard-rfc2307bis-02, because this oc supports empty groups and has ordering rules for uidnumber/gidnumber > > In attempting to future-proof our ldap services, and to accommodate > > the AD-Focused nature of commercial products, I'm attempting to get > > this to all work automatically, ie use the same group setup for > > both (probably naive and ill-advised?). Windows groups and unix groups are not the same thing. So, that you have issues with them is quite normal. > > But you CANNOT have > > multiple structural objectclasses in a single entry. So these > > requirements put group structures in direct opposition of one > > another. Only right for nis schema and rf2307 schems, use rfc2307bis (latest version). > > Has anyone resolved this successfully, and if so, how? Overlays > > (which ones, examples)? Schema mods (examples?) > > > > Splitting groups off as unix groups vs windows groups (sync could > > get ugly) and could run into other issues with respect to file and > > dir permissions. > > > > I also need to avoid breaking smbldap-tools, which at the moment > > appears NOT to support the groupofnames model. Good joke, smbldap-tools was designed for today unsupported samba versions. Use samba-ad and forget smbldap-tools forever. > > Building this on CentOS 6, OpenLDAP 2.4.23-34, and migrating from > > older OpenLDAP version. Use a recent version of openldap, not this old stuff. If you must use the CentOS 6 release of openldap, this list is not yours. > > I'm somewhat open to considering a > > different LDAP service (389/Apache/OpenDJ) though I've found java > > to be a resource pig in the extreme, and would prefer to avoid if > > possible. Use perls NET::LDAP modul. > > If you have this working I would love to see the relevant > > configuration files. > > -Dieter -- Harry Jede