OpenLDAP: Cannot add posixGroup

lpwevers · 06-15-2015, 07:35 AM

Dear Experts,

I'm trying to setup an OpenLDAP server on OpenSuSE 13.2, which will be used for authenticating users from a whole bunch of other Linux machines.

I've managed to get OpenLDAP up and running and can add users to it. However, whenever I try to add groups things go wrong.

I've setup the initial LDAP structure using this ldif:

Code:

# digio.local
dn: dc=digio,dc=local
dc: digio
o: digio b.v.
objectClass: dcObject
objectClass: organization

# Manager, digio.local
dn: cn=Manager,dc=digio,dc=local
cn: Manager
description: LDAP administrator
objectClass: organizationalRole
objectClass: top
roleOccupant: dc=digio,dc=local

# People, digio.local
dn: ou=People,dc=digio,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit

# Groups, digio.local
dn: ou=Groups,dc=digio,dc=local
ou: Groups
objectClass: top
objectClass: organizationalUnit

Then Adding a user with an ldif like this works like a charm:

Code:

dn: uid=louis,ou=People,dc=digio,dc=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: louis
cn: Louis Wevers
sn: Wevers
givenName: Louis
title: Yes
telephoneNumber: 1234
mobile: 1234
postalAddress: Somewhere
userPassword: {SSHA}EncryptedStuff
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/louis/
description: Louis Wevers

So for a group I try this ldif:

Code:

dn: cn=sapinst,ou=Groups,dc=digio,dc=local
objectClass: top
objectClass: posixGroup
cn: sapinst
gidNumber: 1200

And that's where things go horribly wrong:

Code:

# ldapadd -x -D "cn=Manager,dc=digio,dc=local" -f group.ldif -w <some pw>
adding new entry "cn=sapinst,ou=Groups,dc=digio,dc=local"
ldap_add: Object class violation (65)
        additional info: no structural object class provided

Google told me that I'm not the only one facing this problem, however, I've not come across an answer (at least not one that I understand). According to all these I should check in rfc2307bis.schema for the objectclass 'posixGroup' which in my case looks like this:

Code:

objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
  DESC 'Abstraction of a group of accounts'
  MUST gidNumber
  MAY ( userPassword $ memberUid $
        description ) )

I believe this to be correct, but I'm not an LDAP expert, so I'm not 100% sure.

Can anyone please help in getting this issue resolved?

Many thanks in advance,
Louis

btmiller · 06-18-2015, 09:47 PM

I'm hardly an OpenLDAP expert, but I'm looking through my setup (which I got off a web site years ago) and my Group ou is only objectClass organizationalUnit; it does *not* have objectClass top. I'm not sure why this would mess things up for Groups but not users in your case, but it seems somewhat odd to me that you have two objects in a hierarchy both with objectClass top. You might try removing that objectClass from the parent OU and see if it helps. Then again, I might be totally barking up the wrong tree.

ecp14 · 12-08-2015, 12:24 PM

I am having the same exact problem with SUSE 10. Was this ever resolved? If so, I would love to find out how it was resolved. thanks!

lpwevers · 12-08-2015, 03:55 PM

Quote:

Originally Posted by ecp14

I am having the same exact problem with SUSE 10. Was this ever resolved? If so, I would love to find out how it was resolved. thanks!

Well, sort of. But probably not the way you like it. I switched to SLES 11 and used the yast LDAP configuration. That solved the issue, without ever solving the original problem.

Sorry.

ecp14 · 12-08-2015, 04:19 PM

Thanks for your reply lpwevers. I was able to resolve it by removing posixGroup as the objectClass and keeping "top". Added objectClass "groupOfNames" and the member attribute for each user account that will be in the group. Also had to remove gidNumber since it does not work with groupOfNames. Will see how far this gets me. thanks again.
dn: cn=tpdstaff,ou=Group,dc=example,dc=com
#changetype: modify
objectClass: groupOfNames
#objectClass: posixGroup
objectClass: top
cn: tpdstaff
## gidNumber was not allowed
#gidNumber: 500
member: uid=tpduser0,ou=People,dc=example,dc=com

udonj · 10-15-2016, 06:57 PM

Problem :
#:/etc/openldap/schema # ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f addgroups.ldif
Enter LDAP Password:
adding new entry "cn=groupname,ou=Group,dc=example,dc=com"
ldap_add: Object class violation (65)
additional info: no structural object class provided

Short Summury of solution:
1) systemctl stop slapd.service
2) rm -rf /etc/openldap/slapd.d/*
3) change slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
#include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#!!! nis.schema contains correct posixGroup description with cn and gidNumber while rfc2307bis.schema does not !
#include /etc/openldap/schema/yast.schema

Look here: (from nis.schema, read MUST: )
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
DESC 'Abstraction of a group of accounts'
SUP top STRUCTURAL
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ description ) )

while from rfc2307bis.schema we have:

objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
DESC 'Abstraction of a group of accounts'
MUST gidNumber
MAY ( userPassword $ memberUid $
description ) )

hence one has to use nis.schema instead of rfc2307bis.schema !

4) slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
5) systemctl restart slapd.service

6) done! use your "ldapadd -x -D …. "

P.S. very useful link:
https://wiki.archlinux.org/index.php/OpenLDAP
P.S.II i have SuSE Leap 42.2
(Linux myserver 4.4.22-1-default #1 SMP Wed Sep 28 15:13:53 UTC 2016 (32db362) x86_64 x86_64 x86_64 GNU/Linux)