Please expand ldapsam:editposix (lds:ep) so that it supports the rfc2307bis.schema. nss_ldap supports rfc2307bis, but 'net sam provision' will fail if you replace nis.schema with rfc2307bis.schema. Also, please modify the LDAP_OBJ_ACCOUNT variable in (samba version 3.0.24:./source/include/smbldap.h) to use the structural objectclass "person" instead of objectclass = "account". Using inetorgperson is a much better choice as other parts of the network need to store contact phone numbers and other data along with the samba account. While I can currently edit the source to make this change myself, there may come a time when such a change would be beyond simply the editing of a variable and thus 'out of reach'.
(In reply to comment #0) > Also, please modify the LDAP_OBJ_ACCOUNT variable in (samba version > 3.0.24:./source/include/smbldap.h) to use the structural objectclass "person" > instead of objectclass = "account". Just changing the LDAP_OBJ_ACCOUNT variable results in a slapd error, "object class 'person' requires attribute 'sn'. Using the value of 'cn' to fill in 'sn' could be one possible fix.
Created attachment 2708 [details] inetOrgPeroson support for editposix This patch may be a way to add support to use the inetOrgPerson objectClass instead of account when using ldapsam:editposix please test it and let me know if this works for you
Simo: Question -- can we make this a bit more generic? My feeling is that a parameter for this specific case might not be optimal. I don't have an exact config style in mind, but I could imagine that others with other wishes will show up.
Yes we can, and that is why I didn't commit it. I would like to come up with a completely user configurable way of doing this. But meanwhile this patch can be used as a stop gap for people that really need to use inetOrgPerson.
The inetOrgPerson patch DOES work when the case-sensitive option... ldapsam:editposix use inetOrgPerson = yes ...is added to smb.conf
Just for reference: "ulimit" on irc just discovered the groupOfNames / namedObject classes that solve the "posixGroup is auxiliary" problem. namedObject is to be used when no member is around, the structural class changes once a member is added to the group. YaST does this, so Novell is aware of this -- maybe they can submit a patch to editPosix? :-) Volker
(In reply to comment #6) > Just for reference: "ulimit" on irc just discovered the groupOfNames / > namedObject classes that solve the "posixGroup is auxiliary" problem. > namedObject is to be used when no member is around, the structural class > changes once a member is added to the group. This does not work with openLdap, because strict adherence to LDAP RFC forbids to add/remove/modify structural classes, so you'd have to delete and add again the object (and this would lead to other problems). > YaST does this, so Novell is aware of this -- maybe they can submit a patch to > editPosix? :-) The solution would be to modify the groupOfnames class, we had some extensive discussion some moths ago on the ldap standards mailing list, to come up with a new objectclass that would solve the issues, but then discussion stalled. On some servers the schema has been change and member made MAY instead of MUST, it's a minor violatio, but I am all for it, as the object class as is is just plain stupid.
You don't happen to have a pointer to this discussion?
I just found another possible solution or workaround at http://linux.derkeiler.com/Mailing-Lists/SuSE/2008-04/msg01104.html: basically they talk about adding an empty member: attribute at the beginning. While this wouldn't be exactly "nice", it wouldn't require modifying an existing schema.
Created attachment 5864 [details] rfc2307 patch for ldapsam:editposix
I made another patch for this probrem like "inetOrgPeroson support for editposix patch" by Simo Soroe. This patch have new parameter "ldapsam:editposixix_rfc2307bis" . If ldapsam:editposix_rfc2307bis = namedObject , then use namedObject from rfc2307bis.schema. If ldapsam:editposix_rfc2307bis = groupOfNames, then use groupOfNames from core.schema. This patch tested on Samba-3.4.3 of OpenSUSE 11.2 .
Comment on attachment 5864 [details] rfc2307 patch for ldapsam:editposix Do I read this patch right that it only covers "net sam provision"? This does not cover the case of adding groups via ldapsam:editposix remotely, right? Volker
(In reply to comment #12) > (From update of attachment 5864 [details]) > Do I read this patch right that it only covers "net sam provision"? This does > not cover the case of adding groups via ldapsam:editposix remotely, right? May be yes. I only test locally.
Ok, looked at the bug again: You need that ONLY in "net sam provision"? I think for upstream inclusion this is not sufficent. We also need the corresponding changes in passdb/pdb_ldap.c to take care of the attributes when later on adding/modifying users. The patch that was posted explicitly stated that it is done for ldapsam:editposix, and for upstream this also includes the editability via usrmgr, not just the one-shot provision. I apologize that I am not willing to put this upstream in this form. I will reject the bug formally. Please re-open it when the appropriate patch is available.
Created attachment 6399 [details] rfc2307 patch for ldapsam:editposix rfc2307 patch for ldapsam:editposix again
(In reply to comment #14) > sufficent. We also need the corresponding changes in > passdb/pdb_ldap.c to take care of the attributes when later > on adding/modifying users. The patch that was posted > explicitly stated that it is done for ldapsam:editposix, and > for upstream this also includes the editability via usrmgr, > not just the one-shot provision. I create patch again and test 1) net sam provision This command uses source3/utils/net_sam.c code. 2) net rpc group add foobar This command uses source3/passdb/pdb_ldap.c So , this patch is enough to solve all the problems ,I think.