Hello,
I am using the LDAP schema groupOfNames inside OpenLDAP, where the attribute member is mandatory. Therefore I have setup in the Module Config of "LDAP Users and Groups" of Webmin an group attribute in the LDAP Attributes configuration category: member: cn=GROUP,ou=groups,dc=local Now I can add LDAP groups with the Webmin Module... but this does not work for Virtualmin. If I want to create a new virtual server it gives me the following:
Creating administration group GROUP .. .. failed to create administration group : ldap-useradmin::create_group failed : Failed to add group to LDAP database : object class 'groupOfNames' requires attribute 'member' at /usr/share/webmin/web-lib-funcs.pl line 1397.
What can I do to fix this? I need to keep the LDAP schema, because of the use of GOSa plugin on another part of the LDAP setup.
Thanks, Steffen
Comments
Submitted by JamieCameron on Wed, 04/22/2015 - 22:00 Comment #1
There isn't any easy work-around - when Virtualmin creates the group in LDAP, it doesn't add any members initially because the domain's user already has the group as it's primary. In fact, requiring that all groups have at least one secondary member conflicts with what is possible in the /etc/group file.
Submitted by stf on Thu, 04/23/2015 - 12:06 Comment #2
Couldn't you just simply let the group be member of itself?
Submitted by JamieCameron on Thu, 04/23/2015 - 19:15 Comment #3
Unix group's can contain other groups as members though?
Submitted by stf on Mon, 04/27/2015 - 15:25 Comment #4
Your right, groups cannot contain groups..
What about putting the newly created user directly to the group? I mean you create a group and a user.. why not put it to the group and filling also the attribute member? This doesn't have to be a secondary member.. it can also be the first member of the group..
E.g. member = cn=xy, dc=domain,dc=com memberUiD= xy
and xy can be the created user (primary)..
Thanks, Steffen
Submitted by JamieCameron on Mon, 04/27/2015 - 19:19 Comment #5
I suppose that could be done, although it would be confusing to most users as the membership is redundant. Is there something special about your schema that doesn't allow even an empty list of secondary members?
Submitted by stf on Wed, 04/29/2015 - 11:50 Comment #6
Hi jamie,
this is the standard of groupOfNames, which is used by GOsa, which I use (see used schemes https://oss.gonicus.de/labs/gosa/wiki/InstallingLdap). The thing is that I create LDAP users/groups with this tool and then automatically the scheme groupOfNames is applied for groups...
hmm i could also setup another scheme for the groups of virtualmin?.. does this matter or will something, crash? I wont be able to manage these groups then through Gosa (which is not necessary on this point!)...? Would something like this work? What do you need to create LDAP groups? Is the Webmin default used here?
Thanks, Steffen
Submitted by JamieCameron on Wed, 04/29/2015 - 23:38 Comment #7
So normally Virtualmin just creates groups using the posixGroup object class, which doesn't have the requirement that the memberUid attribute exist. On your system, did you customize the schema for this class, or change the object class Webmin uses for groups?