[Samba] Scaleable LDAP Backends for Samba; Domain Controllers group access

Adam Tauno WIlliams adam at morrison-ind.com
Mon Oct 4 17:57:39 GMT 2004

> As far as I know, it *HAS* to be done this way because the posixGroup 
> schema is way out of date (it wont take a dn as a member).

That is true, well the "out of date" part.  It doesn't have to be done
this way.

>   This info 
> according to the gurus on the OpenLDAP list. In effect we have to keep a 
> duplicate set of group records for those that will have access to the 
> database. 

No.  Duplicate is bad, only a matter of time till someone screws it up,
and debugging the ensuing wierdness will be a real headache.

> For example, if you want to give group based access to a group 
> like "Domain Controllers", you would have to keep a duplicate record 
> using a different objectClass.

Recent versions of NSS LDAP support RFC2307BIS, where groups can contain
"member" attributes rather than "memberuid" attributes.  So OS groups
can be objectclass "groupOfNames" rather than posixAccount. 

The schema is busted however, since posixGroup is structural.

So load -

objectclass (
    NAME 'nssBisGroup'
    DESC 'Adds POSIX Attributes To A GroupOfNames'
    SUP top
    MUST ( cn, gidNumber )
    MAY ( userPassword, description )

Since groupOfNames already requires cn, you just add a gidNumber and the
objectclass to groups that you want to be OS groups.

And set the NSS configuration to:
nss_map_objectclass posixGroup nssBisGroup
pam_member_attribute member

More information about the samba mailing list