Replace nis (rfc2307) with rfc2307bis schema in OpenLDAP

Fabian Raab's picture
Submitted by Fabian Raab 08Aug
You are familiar that posixGroup schema in LDAP is structural. This has some disadvantages like you have to synchronise two structural entries of Object Class posixGroup and groupOfNames if you need both Object Class for representing the same Group with the same users. Some further discussion here. For this purpose the old nis (rfc2307) scheme has been extended under the name rfc2307bis. The rfc2307bis schema remove the structural flag from the posixGroup and make it auxilary. With the rfc2307bis schema you can simply add the posixGroup Object Class to a already existing groupOfName (or a similar one) entry to make the group also a unix group This guide was tested on Ubuntu Server 12.04.4 LTS and 14.04.1 LTS with OpenLDAP 2.14.31 but should also work on all openLDAP installations. Installtion Type Fresh Installtion Normally on a fresh installation of the slapd package you had to simply add the rfc2307bis.ldif schema to your configuration and you are finshed. But the rfc2307 schema is a core schema; quite every other schema depend on it, so this and some other ones are directly initialized during the package install:
  • core
  • cosine
  • inetorgperson
  • nis (rfc2307)
So also on a frsh install you had to replace the nis schema ... Production System Well if you had already posixGroup entries in your LDAP directory, then the things are more complicated. With the change from structural to auxilary every 'posixGroup' became invalid and the slapd*won't start. The Procedure should be as following:
  1. Make a backup!! There are many reasons why the transformation could fail. Especially if you use dynamic configuration with cn=config. Any mistake in your configuraton prevents the start of slapd and the server must run to do a configuration, so with no backup you have no other choise then purging your data.
  2. convert posixGroup to groupOfNames
    1. make a list of all posixGroup and their containig users.
    2. delete all posixGroup and create groupOfNames instead.
    3. ** (!) Make sure that tere is no posixGroup left in your LDAP directory**. That's important!
  3. Replace nis (rfc2307) with rfc2307bis (e.g. this guide)
  4. Iterate through your list and add the now auxilary Object Class posixGroup to your structural groupOfNames entries
Convertion to rfc2307bis rfc2307bis fully replace the old nis schema, so simply adding the rfc2307bis schema will not work because they have the same Object Identifiers (OID). First export your configuration to a dynamic configuration file. 
    sudo slapcat -n 0 > config.ldif
What teh file includes depends on your already added schemas, but it schould contain at least the following schemas:
  • dn: cn=schema,cn=config
  • dn: cn={0}core,cn=schema,cn=config
  • dn: cn={1}cosine,cn=schema,cn=config
  • dn: cn={2}nis,cn=schema,cn=config
  • dn: cn={3}inetorgperson,cn=schema,cn=config
  • dn: olcBackend={0}hdb,cn=config
  • dn: olcDatabase={-1}frontend,cn=config
  • dn: olcDatabase={0}config,cn=config
  • dn: olcDatabase={1}hdb,cn=config
We had to remove the nis schema in config.ldif delete all from 
n: cn={2}nis,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {2}nis
olcAttributeTypes: {0}( 1.3.6.1.1.1.1.2 NAME ...
until (inclusive) right before dn: cn={3}inetorgperson,cn=schema,cn=config schema 
structuralObjectClass: olcSchemaConfig
entryUUID: 5827577a-b34f-1033-8297-1948286386c7
creatorsName: cn=config
createTimestamp: 20140808135504Z
entryCSN: 20140808135505.000499Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140808135504Z
Now you had to get the rfc2307bis schema. There are many pages from where you can download it, but there is also a package wich include it: 
    sudo apt-get install gosa-schema
This package contains some schemas, that are needed by the gui frontend gosa² for LDAP, but the package only contains schemas, so you must not install gosa² itself or any other schema included in the package. copy the content of the file (on some other destributions like Debian the dir is /etc/openldap/...) 
    /etc/ldap/schema/gosa/rfc2307bis.ldif
to the place in config.ldif to the same place where you removed the nis schema (The oder is important!) Then change the rfc3207bis header from 
dn: cn=rfc2307bis,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: rfc2307bis
to 
dn: cn={2}rfc2307bis,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {2}rfc2307bis
stop deamon 
    sudo service slapd stop
delete your old configuration 
    sudo rm -r /etc/ldap/slapd.d/*
restore your config.ldif with the new schema 
    sudo slapadd -F /etc/ldap/slapd.d -n 0 -l config.ldif
if successfull the output should be 
    _#################### 100.00% eta   none elapsed            none fast!         
    Closing DB...
correct permissions, so slap can read the files (on some other distributions like Debian the user/group is called ldap) 
    sudo chown -R openldap:openldap /etc/ldap/slapd.d/
start deamon 
    sudo service slapd start
And that it! Congratulations you have now the rfc2307bis schema! further notes if you like to use a gui then your selection is limited in contrast to the old nis schema. The most of them support it, but its often a premium paid feature. gosa² supports it for free, but it required many additional schemas and force to set many attributes, wich you might not want. Its not really flexable ...

Tags: 

 
 
 

User login