dn-based linux groups from ldap

Is there any way to use one of LDAP's DN-based groups for linux groups instead of using the uid-based posixGroup objectclass?

More broadly, is there any way I can avoid having one set of groups for supporting linux accounts and a parallel set of groups that's used by everything else?

Yes.

In your nss_ldap configuration file, set nss_schema:

nss_schema rfc2307bis

On your server in the schema, make sure the posixGroup object class is auxiliary instead of structural.

Then you can use both the groupofmembers(new) or groupofnames(old) and posixgroup objectclasses for each group. Each member will be in a member attribute:

dn: cn=foo,ou=Groups,dc=example
objectclass: top
objectclass: posixgroup
objectclass: groupofmembers
gidnumber: 9234
member: uid=bob,ou=people,dc=example
member: uid=alice,ou=people,dc=example

To get the groupOfMembers schema, you can either extract it from the rfc, or use this one that's been done for you, and save it to /etc/openldap/schema/rfc2307bis.schema. This schema supersedes the nis schema, so remove that one first.

If you're using the cn=config backend

1. create a file convert-schema.conf containing

   include /etc/openldap/schema/core.schema
   include /etc/openldap/schema/cosine.schema
   include /etc/openldap/schema/rfc2307bis.schema
   

2. create a directory called /tmp/converted
3. convert schema to ldif: slaptest -f convert-schema.conf -F /tmp/convert/
   • Fix any errors, including removing apostrophes in values and removing references to the authPassword attribute until slaptest succeeds
4. copy /tmp/convert/cn=config/cn=schema/cn={2}rfc2307bis.ldif to /etc/openldap/rfc2307bis.ldif
5. modify rfc2307bis.ldif
   • change the first line to dn: cn=rfc2307bis,cn=schema,cn=config
   • change the third line to cn: rfc2307bis
   • remove the seven lines at the end (structuralObjectClass through modifyTimestamp)
6. import the schema ldif:
   ldapadd -f rfc2307bis.ldif -D "cn=admin,cn=config" -W