4:44 p.m.
Hi Maciej,
> But I get error on inserting posix users with "Constraint
> violation
> (some attributes not unique, ". Maybe because https://bugs.openldap
> .org
> /show_bug.cgi?id=6825
>
> The same problem occurs when I just try to add a posix user with
> gidNumber and a group with same gidNumber manually via ldifs.
>
> Did you ever got errors like this?
The default LDAP schema in DebOps is the 'rfc2307bis' schema[2]. It
changes
this I got. fusiondirectory has this rfc2307bis schema on board and I
worked earlier with this in 389-ds.
a few things, namely makes the posixGroup object clas an AUXILLIARY
class,
which lets you apply it to existing objects. You can then create an
inetOrgPerson object with posixGroup class and define gidNumber in a
single
object - that's how DebOps handles User Private Groups in LDAP[3].
Here began the problem in interaction with fusiondirectory and I think
I understood now why:
The User Private Groups are implemented in debops in a very special way
I think. (I don't know how common it is - I haven't found much about.
It seems quite clever because you only need one object - but I think it
restricts interoperability with other tools.
As for th constraint violation - gidNumber uniqueness is enfoced
globally by
the 'slapd' role[4] to avoid collisions and accidental security
issues. If you
want to create a new user with unique UID and GID number, it's best
to reserve
one via special LDAP objects prepared just for that[5], similar to
how
FusionDirectory does it.
FusionDirectory creates two objects for User Private Groups: one in
ou=People and one in ou=Groups, eg:
uid=tuser,ou=people,dc=example,dc=org
cname=tuser,ou=groups,dc=example,dc=org
but both with gidNumber set to the same value.
This clashs with the
/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={2}unique.ldi
f
So I configured:
slapd__tasks:
- name: 'Configure Unique overlay in the main database'
dn: 'olcOverlay={2}unique,olcDatabase={1}mdb,cn=config'
attributes:
olcUniqueURI:
# - 'ldap:///{{ slapd__basedn }}?uidNumber?sub'
# - 'ldap:///{{ slapd__basedn }}?gidNumber?sub'
- 'ldap:///{{ slapd__basedn }}?mail?sub'
- 'ldap:///{{ slapd__basedn
}}?mailAddress,mailAlternateAddress?sub'
- 'ldap:///ou=People,{{ slapd__basedn }}?employeeNumber?sub'
- 'ldap:///ou=People,{{ slapd__basedn }}?uid?sub'
- 'ldap:///ou=People,{{ slapd__basedn }}?gid?sub'
state: 'exact'
(omitted the ldap:///{{ slapd__basedn }}?gidNumber?sub)
and now I can add Users with Private User Groups in fusiondirectory.
They are stored in two objects anyway. But I think this is standard in
many environments. Isn't it?
Probably it would be enough to use
olcUniqueURI:
- 'ldap:///ou=People,{{ slapd__basedn }}?uidNumber?sub'
- 'ldap:///ou=groups,{{ slapd__basedn }}?gidNumber?sub'
Because we only need same gidNumber in People/Groups once.
What's interesting: fusiondirectory understands the objects written
with debops. The default user is shown as posix user and also on
editing everything is stored in one ldap object.
My task is to use openldap and fusiondirectory for an "old style" samba
directory with posix and samba users. This is in my opinion still the
easiest way for mixed environments with mainly linux desktop clients
and central file storage + home on network when we do not need any
domain logon with Windows clients. I wanted to try to map as much as I
can with debops. But we need a grafical user interface for ldap admin
tasks for the local administration inside the organisations.
Cheers
Jan