| 217 | | dn: cn=adm,ou=Group,dc=instXY,dc=ac,dc=lk |
| 218 | | cn: adm |
| 219 | | description: System Admin Staff |
| 220 | | gidNumber: 1500 |
| 221 | | objectClass: posixGroup |
| 222 | | objectClass: top |
| 223 | | |
| 224 | | dn: cn=acd,ou=Group,dc=instXY,dc=ac,dc=lk |
| 225 | | cn: acd |
| 226 | | description: Acadamic Staff |
| 227 | | gidNumber: 2000 |
| 228 | | objectClass: posixGroup |
| 229 | | objectClass: top |
| 230 | | |
| 231 | | dn: cn=student,ou=Group,dc=instXY,dc=ac,dc=lk |
| 232 | | cn: student |
| 233 | | description: Students |
| 234 | | gidNumber: 5000 |
| 235 | | objectClass: posixGroup |
| 236 | | objectClass: top |
| 237 | | |
| 238 | | dn: ou=servers,dc=instXY,dc=ac,dc=lk |
| | 217 | dn: ou=Servers,dc=instXY,dc=ac,dc=lk |
| 253 | | |
| 254 | | dn: uid=testme,ou=people,dc=instXY,dc=ac,dc=lk |
| | 232 | }}} |
| | 233 | |
| | 234 | Save the above as a .ldif file and add it to your directory as |
| | 235 | {{{ |
| | 236 | sudo ldapadd -H ldap:// -x -D "cn=admin,dc=instXY,dc=ac,dc=lk" -W -Z -f path_to_file.ldif |
| | 237 | }}} |
| | 238 | |
| | 239 | When Creating Users and Groups there are several ways in linking them with each other. This makes easy to search users, their associated groups as well as the groups and their associated users. |
| | 240 | |
| | 241 | * Option 1: Create Posix Groups, define `gidNumber` and link user with it. |
| | 242 | |
| | 243 | {{{ |
| | 244 | dn: cn=adm,ou=Group,dc=instXY,dc=ac,dc=lk |
| | 245 | cn: adm |
| | 246 | description: System Admin Staff |
| | 247 | gidNumber: 1000 |
| | 248 | objectClass: posixGroup |
| | 249 | objectClass: top |
| | 250 | |
| | 251 | |
| | 252 | dn: uid=testme1,ou=people,dc=instXY,dc=ac,dc=lk |
| 274 | | mail: testme@instXY.ac.lk |
| 275 | | eduPersonAffiliation: member |
| 276 | | }}} |
| 277 | | |
| 278 | | Save the above as a .ldif file and add it to your directory as |
| 279 | | {{{ |
| 280 | | sudo ldapadd -H ldap:// -x -D "cn=admin,dc=instXY,dc=ac,dc=lk" -W -Z -f path_to_file.ldif |
| 281 | | }}} |
| 282 | | |
| 283 | | More about federated attributes http://wiki.aaf.edu.au/tech-info/attributes |
| 284 | | |
| 285 | | More About SCHAC schema https://www.terena.org/activities/tf-emc2/docs/schac/schac-schema-IAD-1.3.0.pdf |
| | 272 | mail: testme1@instXY.ac.lk |
| | 273 | eduPersonAffiliation: staff |
| | 274 | }}} |
| | 275 | |
| | 276 | * Option 2: Define `groupOfNames` with `memberOf` overlay. (recommended in edugain installations) |
| | 277 | |
| | 278 | To do this we need to create 3 .ldif files and import to the slapd. |
| | 279 | |
| | 280 | `memberof_config.ldif` |
| | 281 | |
| | 282 | {{{ |
| | 283 | dn: cn=module,cn=config |
| | 284 | cn: module |
| | 285 | objectClass: olcModuleList |
| | 286 | olcModuleLoad: memberof |
| | 287 | olcModulePath: /usr/lib/ldap |
| | 288 | |
| | 289 | dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config |
| | 290 | objectClass: olcConfig |
| | 291 | objectClass: olcMemberOf |
| | 292 | objectClass: olcOverlayConfig |
| | 293 | objectClass: top |
| | 294 | olcOverlay: memberof |
| | 295 | olcMemberOfDangling: ignore |
| | 296 | olcMemberOfRefInt: TRUE |
| | 297 | olcMemberOfGroupOC: groupOfNames |
| | 298 | olcMemberOfMemberAD: member |
| | 299 | olcMemberOfMemberOfAD: memberOf |
| | 300 | }}} |
| | 301 | |
| | 302 | `refint1.ldif` |
| | 303 | |
| | 304 | {{{ |
| | 305 | dn: cn=module{1},cn=config |
| | 306 | add: olcmoduleload |
| | 307 | olcmoduleload: refint |
| | 308 | }}} |
| | 309 | |
| | 310 | `refint2.ldif` |
| | 311 | |
| | 312 | {{{ |
| | 313 | dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config |
| | 314 | objectClass: olcConfig |
| | 315 | objectClass: olcOverlayConfig |
| | 316 | objectClass: olcRefintConfig |
| | 317 | objectClass: top |
| | 318 | olcOverlay: {1}refint |
| | 319 | olcRefintAttribute: memberof member manager owner |
| | 320 | }}} |
| | 321 | |
| | 322 | To set up the memberof module and configure it, run this command: |
| | 323 | |
| | 324 | `sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif` |
| | 325 | |
| | 326 | To load and configure the refint module (Referential Integrity overlay) |
| | 327 | |
| | 328 | `sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif` |
| | 329 | |
| | 330 | `sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif` |
| | 331 | |
| | 332 | > Every group created before this module is enabled has to be deleted and remade in order for these changes to take effect. LDAP assigns a "member" attribute behind the scenes to existing users when creating a group. |
| | 333 | |
| | 334 | `addgroup.idif` |
| | 335 | |
| | 336 | {{{ |
| | 337 | dn: cn=staff,ou=Group,dc=instXY,dc=ac,dc=lk |
| | 338 | objectClass: groupofnames |
| | 339 | cn: staff |
| | 340 | description: All users |
| | 341 | member: uid=testme1,ou=people,dc=instXY,dc=ac,dc=lk |
| | 342 | }}} |
| | 343 | |
| | 344 | >Make sure to add "member : user_dn" pair line for each user you want to add to this group. |
| | 345 | |
| | 346 | Load group to the system by: |
| | 347 | |
| | 348 | `sudo ldapadd -H ldap:// -x -D "cn=admin,dc=instXY,dc=ac,dc=lk" -W -Z -f addgroup.ldif` |
| | 349 | |
| | 350 | |
| | 351 | |
| | 352 | More details on federated attributes http://wiki.aaf.edu.au/tech-info/attributes |
| | 353 | |
| | 354 | More on SCHAC schema https://www.terena.org/activities/tf-emc2/docs/schac/schac-schema-IAD-1.3.0.pdf |
| | 355 | |
