LDAP secondary group memberships with OpenDJ and Ubuntu 12.04

As a follow-up to this post, let’s now configure OpenDJ and Ubuntu to use LDAP for assigning secondary groups to user accounts.

This is a quick guide intended for testing only, and we are assuming the setup here has been followed. One change is that we are using Ubuntu 12.04 x86 as the client system.

First, let’s create a new test group in OpenDJ. We assign it the structural object class namedObject, and the auxiliary object class posixGroup. The group GID number is 130, and we add a memberUid entry, with the UID of an existing LDAP account:

Now, on our test Ubuntu 12.04 x86 client, we modify /etc/ldap.conf, adding the following entry:

nss_schema rfc2307bis


This enables rfc2307bis LDAP schema support for PAM (OpenDJ uses the rfc2307bis schema by default).

Next, again in /etc/ldap.conf we uncomment the nss_base_group setting in the section headed with the comment “RFC2307bis naming contexts”, and give it the value as shown:

nss_base_group ou=Groups,dc=example,dc=co,dc=nz


Obviously you would modify the domain components to suit.

We now restart the nscd service, and verify that the secondary group information can be retrieved for an LDAP user:

itadmin@turrican2:/etc$sudo /etc/init.d/nscd restart * Restarting Name Service Cache Daemon nscd [ OK ] itadmin@turrican2:/etc$
uid=1004(davek) gid=50(staff) groups=130(testgroup),50(staff)


We can see that the secondary group testgroup with the GID number of 130 is successfully retrieved from LDAP for this user.

Fun with JSPWiki skins

I really love JSPWiki. It’s super-easy to install, doesn’t require any additional configuration for a back-end database, the native interface is quick and fast to use, and it just runs and runs. Great software.

If there’s one area however where it’s lacking, it’s in a nice selection of bundled good-looking themes. But hey, it’s free and open source software, so one is really in no position to complain – and new skins can be created using entirely standard and familiar HTML and CSS.

It’s worth noting the difference between JSPWiki templates and skins – described at http://www.jspwiki.org/wiki/JSPWikiSkinDesign

After a bit of tinkering with CSS and the bundled “Smart” theme, I came up with this:

Not the stuff of professional web design, but a definite improvement on the default theme, in my humble opinion.

Enable LDAP authentication with Nuxeo

Authenticating Nuxeo users against an LDAP directory is straightforward but for a bug which I encountered.

The instructions for enabling LDAP authentication are here: http://doc.nuxeo.com/display/ADMINDOC/Using+a+LDAP+directory. I am using Tomcat in my case, with OpenDJ as the LDAP server.

The bug I encountered is here: https://jira.nuxeo.com/browse/NXP-6574

And, the workaround I had to implement to get LDAP authentication up and running is detailed here: http://answers.nuxeo.com/questions/701/ad-ldap-connection-issues.

With this in place, LDAP authentication works as expected.