I've just installed and configured OpenLDAP 2.4 in CentOS 8 and I'm now creating Groups and it's members for future use.
One of these future use will be LDAP+PAM integration, which is why I want my Groups to have the memberUid attribute in the posixGroup objectClass, which is defined in nis.schema file that's shipped with OpenLDAP:
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
DESC 'Abstraction of a group of accounts'
SUP top STRUCTURAL
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ description ) )
But also I'd would like to use the member attribute from the groupOfNames objectClass, which is defined in core.schema:
objectclass ( 2.5.6.9 NAME 'groupOfNames'
DESC 'RFC2256: a group of names (DNs)'
SUP top STRUCTURAL
MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
But if I try to use both of theses objectClasses, I get a LDAP_OBJECT_CLASS_VIOLATION, since both of them are STRUCTURAL (in fact, and I believe that no so long ago posixGroup was AUXILIARY).
How can I use both of theses objectClasses without changing their original specification?
Is there an alternative, can I use "member" attribute or some objectClass other than posixGroup to integrate LDAP with PAM? Or is there another objectClass that's AUXILIARY and has "member" attribute?
The member attribute is very important for my future needs, but I was only going to use posixGroup for PAM integration.
Thanks in advance.
Best Answer
You'll want to use the schema defined in RFC2703bis as opposed to RFC2703 aka nis.schema.
Below is a wide ldif that should be suitable for adding with
ldapadd
, though I do worry that you're still using slapd.conf rather than slapd-config. (There may be a few modifications to allow substring matches not included in RFC2703bis on thing like automountkey because I'm lazy and like both substring matching and pulling from live configs).