I'm setting up an OUD infrastructure which will provide a central place for authentication and authorization services to several UNIX systems (Linux and Solaris).
I have been successful thus far at getting these systems to recognise the users and authenticate these users against OUD. The next step is to fitler access to systems based on secondary group membership.
I have a group in LDAP called "sysadmins".
# sysadmins, Groups, mycompany.com
dn: cn=sysadmins,ou=Groups,dc=mycompany,dc=com
userPassword:: e2NyeXB0fXg=
gidNumber: 210
objectClass: posixGroup
objectClass: namedObject
objectClass: top
cn: sysadmins
I should be able to create an LDIF file like so to add a user to this group.
dn: cn=sysadmins,ou=Groups,dc=mycompany,dc=com
changetype: modify
add: memberUid
memberUid: fred.chagnon
When I do this, the ldapmodify command exits with no error. But then if I do a getent groups, the line entry for the sysadmins group does not contain any additional users. Similarly the groups(1) command does not show that this user belongs to any other group other than the primary group.
If I attempt to rerun the ldapmodify command with the same LDIF file, I get an error stating the value already exists.
modifying entry "cn=sysadmins,ou=Groups,dc=mycompany,dc=ca"
ldapmodify: Type or value exists (20)
additional info: Entry cn=sysadmins,ou=Groups,dc=mycompany,dc=ca cannot be modified because it would have resulted in one or more duplicate values for attribute memberUid: fred.chagnon
So I know that the attribute has been added in LDAP. Strangely If I dump the database using ldapsearch with no filter though I don't see a memberuid attribute for this group.
Is my issue an LDAP client config issue where the client doesn't know how to query the right attributes from the LDAP server (i.e. memberuid vs. member?) or is this an issue with OUD?
Fred