Non working ldif examples

[refs]

Describe the bug

After a bit of debugging, the default ldif files don't seem to provide with a working out of the box experience for a properly configured ldap server. When running openldap with the default files, the following error occurs:

additional info: invalid structural object class chain (groupOfUniqueNames/posixGroup)

having a look at the groups, the issue seems to be originated in the group entries:

dn: ou=groups,dc=owncloud,dc=com
objectClass: organizationalUnit
ou: groups

dn: cn=users,ou=groups,dc=owncloud,dc=com
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: ownCloud
cn: users
description: Users
gidNumber: 30000
ownCloudUUID:: NTA5YTlkY2QtYmIzNy00ZjRmLWEwMWEtMTlkY2EyN2Q5Y2Zh
uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com

For some reason I have not yet discovered, having posixGroup as a child of groupOfUniqueNames is not possible. Now, getting rid of posixGroup

Steps to reproduce

Steps to reproduce the behavior:

0. download all the ldif files in this repository and place them on your filesystem, then mount them as a volume for the openldap docker image.
1. setup an openldap server.

docker run \
        --volume /path/to/openldap/ldif/files/dir:/container/service/slapd/assets/config/bootstrap/ldif/custom \
        -p 389:389 \
        -p 636:636 \
        -e LDAP_DOMAIN="owncloud.com" \
        -e LDAP_TLS_VERIFY_CLIENT=never \
        -e LDAP_ORGANISATION=ownCloud \
        -e LDAP_ADMIN_PASSWORD=admin  \
        osixia/openldap:1.5.0 --loglevel=debug --copy-service

Expected behavior

openldap running with such files

Actual behavior

Error occurs:

61c1b746 conn=1017 fd=12 closed
***  DEBUG  | 2021-12-21 11:15:18 | ldap_add: Object class violation (65)
        additional info: invalid structural object class chain (groupOfUniqueNames/posixGroup)
adding new entry "ou=groups,dc=owncloud,dc=com"

[refs]

some people replace using a schema such as rfc2307bis.schema

source

[wkloucek]

Are you referring to these files https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_ldap/config/ldap/ldif ?

[rhafer]

For some reason I have not yet discovered, having posixGroup as a child of groupOfUniqueNames is not possible. Now, getting rid of posixGroup

It's because of a design flaw in the RFC2307 Schema :-(. The LDAP Standard only allows a single entry to have a single "structrual Objectclass" (and multiple auxilliary Classes). Unfortunately in RFC2307 posixGroup was defined as structual and groupOfUniqueNames is structural as well (many LDAP servers just don't implement this restriction. OpenLDAP does however). A possible workaround, as you already found out. is to use the revised (but never formally standardized) RFC2307bis Schema.

If you're using the osixia/openldap container it should be possible to do that via the LDAP_RFC2307BIS_SCHEMA env variable to true

[wkloucek]

@rhafer can we close this issue? Seems like we have the setting you recommended in place