This discussion is archived
0 Replies Latest reply: Nov 27, 2011 11:59 PM by snmdla RSS

Beehive enhancement of the day: enhance group support with (Open)LDAP

snmdla Explorer
Currently Being Moderated
Today I'm going to be somewhat lazy and just reboil an issue that was addressed here about two years ago, but which is still an issue for those using (Open)LDAP as a directory server with beehive.

With an OpenLDAP directory install on SuSE enterprise linux, LDAP-based administration of groups appears to be based on the structural objectclass posixGroup, which has plain usernames in the attribute memberUid, e.g.

dn: cn=agroup,ou=group,dc=mycorp,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: agroup
gidNumber: 1076
sambaSID: S-1-0-11-0815081508-44905045-1282156110-2119
sambaGroupType: 2
displayName: agroup
description: adescription
memberUid: amember
memberUid: bmember
memberUid: cmember

At our site, several applications make use of this structure.

Now we know that beehive requires the syntax of the objectclass groupOfNames, with dns in the attribute member, e.g.:

dn: cn=agroup,ou=group4beehive,dc=mycorp,dc=com
objectClass: groupOfNames
cn: agroup
description: adescription
member: uid=required_member_for_empty_group,ou=people,dc=mycorp,dc=com
member: uid=ambember,ou=people,dc=mycorp,dc=com
member: uid=bmember,ou=people,dc=mycorp,dc=com
member: uid=cmember,ou=people,dc=mycorp,dc=com

This is quite a tricky issue, as

-groupOfNames is insufficient for managing Unix groups as it does not provide a gidNumber

-PosixGroup and groupOfNames are mutually exclusive, so we cannot store the gidNumber where the groupOfNames info lives

-SuSE Linux (and probably other Linuxes likewise) appears to have no mechanisms to automatically sync such two separate group entries (one carrying PosixGroup, the other carrying groupOfNames info)

-implementing the rfc2307bis Schema could bring posixGroup and groupOfNames info together, but still the would need to get synched.

-implementing nss_map_attribute in /etc/libnss-ldap.conf could make SuSE use groupOfNames, but we saw that the other applications using the directory are all tuned to read posixGroup format

There were plans to implement support of posixGroup structures into beehive, and these were even approved for future release (in a release after 2.1).

We have a quite cumtersome workaround for this (I can share it), but would be happy to see the following enhancement request implemented:

8278412 "ALLOW GROUP MEMBERSHIP SYNC BASED ON UID")

You are invited to tune in, in case you also facing similar problems.

Regards, Tom

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points