As a follow-up to this post, let’s now configure OpenDJ and Ubuntu to use LDAP for assigning secondary groups to user accounts.
This is a quick guide intended for testing only, and we are assuming the setup here has been followed. One change is that we are using Ubuntu 12.04 x86 as the client system.
First, let’s create a new test group in OpenDJ. We assign it the structural object class namedObject, and the auxiliary object class posixGroup. The group GID number is 130, and we add a memberUid entry, with the UID of an existing LDAP account:
Now, on our test Ubuntu 12.04 x86 client, we modify /etc/ldap.conf, adding the following entry:
This enables rfc2307bis LDAP schema support for PAM (OpenDJ uses the rfc2307bis schema by default).
Next, again in /etc/ldap.conf we uncomment the nss_base_group setting in the section headed with the comment “RFC2307bis naming contexts”, and give it the value as shown:
Obviously you would modify the domain components to suit.
We now restart the nscd service, and verify that the secondary group information can be retrieved for an LDAP user:
itadmin@turrican2:/etc$ sudo /etc/init.d/nscd restart * Restarting Name Service Cache Daemon nscd [ OK ] itadmin@turrican2:/etc$ itadmin@turrican2:/etc$ id davek uid=1004(davek) gid=50(staff) groups=130(testgroup),50(staff)
We can see that the secondary group testgroup with the GID number of 130 is successfully retrieved from LDAP for this user.