dn-based linux groups from ldap

Yes.

In your nss_ldap configuration file, set nss_schema:

nss_schema rfc2307bis

On your server in the schema, make sure the posixGroup object class is auxiliary instead of structural.

Then you can use both the groupofmembers(new) or groupofnames(old) and posixgroup objectclasses for each group. Each member will be in a member attribute:

dn: cn=foo,ou=Groups,dc=example
objectclass: top
objectclass: posixgroup
objectclass: groupofmembers
gidnumber: 9234
member: uid=bob,ou=people,dc=example
member: uid=alice,ou=people,dc=example

To get the groupOfMembers schema, you can either extract it from the rfc, or use this one that's been done for you, and save it to /etc/openldap/schema/rfc2307bis.schema. This schema supersedes the nis schema, so remove that one first.

If you're using the cn=config backend

1. create a file convert-schema.conf containing

   include /etc/openldap/schema/core.schema
   include /etc/openldap/schema/cosine.schema
   include /etc/openldap/schema/rfc2307bis.schema
   

2. create a directory called /tmp/converted
3. convert schema to ldif: slaptest -f convert-schema.conf -F /tmp/convert/
   • Fix any errors, including removing apostrophes in values and removing references to the authPassword attribute until slaptest succeeds
4. copy /tmp/convert/cn=config/cn=schema/cn={2}rfc2307bis.ldif to /etc/openldap/rfc2307bis.ldif
5. modify rfc2307bis.ldif
   • change the first line to dn: cn=rfc2307bis,cn=schema,cn=config
   • change the third line to cn: rfc2307bis
   • remove the seven lines at the end (structuralObjectClass through modifyTimestamp)
6. import the schema ldif:
   ldapadd -f rfc2307bis.ldif -D "cn=admin,cn=config" -W