Bug 4597 - ldapsam:editposix needs rfc2307bis.schema support and inetorgperson
Summary: ldapsam:editposix needs rfc2307bis.schema support and inetorgperson
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.24
Hardware: All Linux
: P3 enhancement
Target Milestone: none
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-07 10:27 UTC by rtcg
Modified: 2011-04-13 05:09 UTC (History)
5 users (show)

See Also:


Attachments
inetOrgPeroson support for editposix (3.68 KB, patch)
2007-05-20 10:53 UTC, Simo Sorce
no flags Details
rfc2307 patch for ldapsam:editposix (3.63 KB, patch)
2010-07-26 00:45 UTC, oota toshiya
no flags Details
rfc2307 patch for ldapsam:editposix (4.83 KB, patch)
2011-04-12 07:21 UTC, oota toshiya
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description rtcg 2007-05-07 10:27:37 UTC
Please expand ldapsam:editposix (lds:ep) so that it supports the rfc2307bis.schema.  nss_ldap supports rfc2307bis, but 'net sam provision' will fail if you replace nis.schema with rfc2307bis.schema.

Also, please modify the  LDAP_OBJ_ACCOUNT variable in (samba version 3.0.24:./source/include/smbldap.h) to use the structural objectclass "person" instead of objectclass = "account".  Using inetorgperson is a much better choice as other parts of the network need to store contact phone numbers and other data along with the samba account.    While I can currently edit the source to make this change myself, there may come a time when such a change would be beyond simply the editing of a variable and thus 'out of reach'.
Comment 1 rtcg 2007-05-14 23:56:53 UTC
(In reply to comment #0)
> Also, please modify the  LDAP_OBJ_ACCOUNT variable in (samba version
> 3.0.24:./source/include/smbldap.h) to use the structural objectclass "person"
> instead of objectclass = "account".  

Just changing the LDAP_OBJ_ACCOUNT variable results in a slapd error, "object class 'person' requires attribute 'sn'.    Using the value of 'cn' to fill in 'sn' could be one possible fix.
Comment 2 Simo Sorce 2007-05-20 10:53:53 UTC
Created attachment 2708 [details]
inetOrgPeroson support for editposix

This patch may be a way to add support to use the inetOrgPerson objectClass instead of account when using ldapsam:editposix

please test it and let me know if this works for you
Comment 3 Volker Lendecke 2007-05-20 11:30:56 UTC
Simo: Question -- can we make this a bit more generic? My feeling is that a parameter for this specific case might not be optimal. I don't have an exact config style in mind, but I could imagine that others with other wishes will show up.
Comment 4 Simo Sorce 2007-05-20 12:59:02 UTC
Yes we can, and that is why I didn't commit it.
I would like to come up with a completely user configurable way of doing this.
But meanwhile this patch can be used as a stop gap for people that really need to use inetOrgPerson.
Comment 5 rtcg 2007-05-21 12:10:25 UTC
The inetOrgPerson patch DOES work when the case-sensitive option...

   ldapsam:editposix use inetOrgPerson = yes

...is added to smb.conf
Comment 6 Volker Lendecke 2008-06-14 06:45:01 UTC
Just for reference: "ulimit" on irc just discovered the groupOfNames / namedObject classes that solve the "posixGroup is auxiliary" problem. namedObject is to be used when no member is around, the structural class changes once a member is added to the group.

YaST does this, so Novell is aware of this -- maybe they can submit a patch to editPosix? :-)

Volker
Comment 7 Simo Sorce 2008-06-14 10:46:23 UTC
(In reply to comment #6)
> Just for reference: "ulimit" on irc just discovered the groupOfNames /
> namedObject classes that solve the "posixGroup is auxiliary" problem.
> namedObject is to be used when no member is around, the structural class
> changes once a member is added to the group.

This does not work with openLdap, because strict adherence to LDAP RFC forbids to add/remove/modify structural classes, so you'd have to delete and add again the object (and this would lead to other problems).

> YaST does this, so Novell is aware of this -- maybe they can submit a patch to
> editPosix? :-)

The solution would be to modify the groupOfnames class, we had some extensive discussion some moths ago on the ldap standards mailing list, to come up with a new objectclass that would solve the issues, but then discussion stalled.

On some servers the schema has been change and member made MAY instead of MUST, it's a minor violatio, but I am all for it, as the object class as is is just plain stupid.
Comment 8 Pieter Hollants 2008-06-24 18:39:41 UTC
You don't happen to have a pointer to this discussion?
Comment 9 Pieter Hollants 2008-06-24 18:55:32 UTC
I just found another possible solution or workaround at http://linux.derkeiler.com/Mailing-Lists/SuSE/2008-04/msg01104.html: basically they talk about adding an empty member: attribute at the beginning. While this wouldn't be exactly "nice", it wouldn't require modifying an existing schema.
Comment 10 oota toshiya 2010-07-26 00:45:19 UTC
Created attachment 5864 [details]
rfc2307 patch for ldapsam:editposix
Comment 11 oota toshiya 2010-07-26 00:46:41 UTC
I made another patch for this probrem like "inetOrgPeroson support for editposix patch" by Simo Soroe.

This patch have new parameter "ldapsam:editposixix_rfc2307bis" .
If ldapsam:editposix_rfc2307bis = namedObject , then
   use namedObject from rfc2307bis.schema.
If ldapsam:editposix_rfc2307bis = groupOfNames, then
   use groupOfNames from core.schema.

This patch tested on Samba-3.4.3 of OpenSUSE 11.2 .
Comment 12 Volker Lendecke 2010-10-22 06:18:10 UTC
Comment on attachment 5864 [details]
rfc2307 patch for ldapsam:editposix

Do I read this patch right that it only covers "net sam provision"? This does not cover the case of adding groups via ldapsam:editposix remotely, right?

Volker
Comment 13 oota toshiya 2010-10-22 06:57:34 UTC
(In reply to comment #12)
> (From update of attachment 5864 [details])
> Do I read this patch right that it only covers "net sam provision"? This does
> not cover the case of adding groups via ldapsam:editposix remotely, right?

May be yes.
I only test locally.

Comment 14 Volker Lendecke 2010-11-18 08:46:10 UTC
Ok, looked at the bug again: You need that ONLY in "net sam                                      
provision"? I think for upstream inclusion this is not                                           
sufficent. We also need the corresponding changes in                                             
passdb/pdb_ldap.c to take care of the attributes when later                                      
on adding/modifying users. The patch that was posted                                             
explicitly stated that it is done for ldapsam:editposix, and                                     
for upstream this also includes the editability via usrmgr,                                      
not just the one-shot provision.                                                                 
                                                                                                 
I apologize that I am not willing to put this upstream in                                        
this form. I will reject the bug formally. Please re-open it                                     
when the appropriate patch is available.                                                         
                                                          
Comment 15 oota toshiya 2011-04-12 07:21:28 UTC
Created attachment 6399 [details]
rfc2307 patch for ldapsam:editposix

rfc2307 patch for ldapsam:editposix again
Comment 16 oota toshiya 2011-04-12 07:33:01 UTC
(In reply to comment #14)

> sufficent. We also need the corresponding changes in
> passdb/pdb_ldap.c to take care of the attributes when later
> on adding/modifying users. The patch that was posted
> explicitly stated that it is done for ldapsam:editposix, and
> for upstream this also includes the editability via usrmgr,
> not just the one-shot provision.

I create patch again and test 

1)  net sam provision

    This command uses source3/utils/net_sam.c code.

2)  net rpc group add  foobar

    This command uses source3/passdb/pdb_ldap.c

So , this patch is enough to solve all the problems ,I think.