OpenLDAP configuration using posixGroup and groupOfNames

Question

My requirement is to add the posixGroup and groupofNames object class together which add LDAP group using LDIF. Since both class are STRUCTURAL and cannot be added.

To achieve this, I used the link where they mentioned to create a customPosixGroup. https://devopsideas.com/openldap-linux-client-ldap-integration/

Steps they mentioned in the link is

Overcoming posixGroup and groupOfNames caveat

We will be creating server group objects of type posixGroup under ou=server container. The posixgroup is required to provide the translation between group id numbers and their name. We’ll be providing access to servers based on membership of the groups. posixGroup’s member attribute is called memberUID and simply lists the uid of the member. Using this alone, there’s really no solid way to identify the specific distinguished name of the group member.

The problem we have is, memberOf attribute is part of groupOfNames objectClass. We cannot use both posixGroup and groupOfNames together since both are STRUCTURAL objectClasses ( An entry can have only one STRUCTURAL object class ).

To overcome this, we need to create a custom objectClass that will be a clone of posixGroup but of type AUXILIARY instead of STRUCTURAL. Hence we will be able to use groupOfNames along with the custom posixGroup which is almost identical to posixGroup except the class type.

The posixGroup exists in nis schema and hence we’ll make the change there.

Create a file named schema_update.ldif with the below content

dn: cn={2}nis,cn=schema,cn=config
changetype: modify
add: olcObjectClasses
olcObjectClasses: {13}( 1.3.6.1.1.1.2.13 NAME 'customposixGroup' DESC 'Abstraction of a group of accounts' AUXILIARY MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description $ member ) )

{2} denotes the order. You can refer ‘/etc/ldap/slapd.d/cn\=config/cn\=schema’ to get this.

We have named the custom group as customposixGroup. This contains all the attributes that are part of posixGroup except the class type marked as ‘AUXILIARY’.

Run the below command to make the changes,

ldapmodify -W -D cn=admin,cn=config -f schema_update.ldif

I followed the steps and added the customposixGroup and after that added the group as

dn: cn=server_dev,ou=graylog,ou=rgroup,dc=rad,dc=com
objectclass: customposixGroup
objectclass: groupOfNames
cn: server_dev
gidNumber: 7000
description: Server Dev Group
member: uid=aron.francis,ou=People,dc=rad,dc=com

Then, On my Linux client side is sssd which I have configured but if I query using the id command. Here the group name is not getting displayed.

I wanted help on why the group name is not getting displayed when I use the id command from the LDAP client.

But if I use posixGroup instead of customPosixGroup and not groupOfName object class then the group name is getting displayed

I am trying to configure the Openldap server setup but I am stuck at the above mentioned point. I need help on that and also wanted to know if I have been doing any wrong configuration. If you need more info kindly reply so that I can provide that.

Answer 1

There's an option in sssd config, that tells which group to check out (default value is posixGroup [https://linux.die.net/man/5/sssd-ldap]):

ldap_group_object_class = customposixGroup

After adding the option, restart sssd and clear cache using sss_cache -E.

Hope it helps

Answer 2

Instead of patching your nis.schema try using the rfc2307bis.schema. It already has an aux posixGroup.