RE: Why does nslcd require LDAP user entry objectClass=posixAccount?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Shimin <smqian [at] hotmail.com>
To: Todd Grayson <tgrayson [at] cloudera.com>, "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: RE: Why does nslcd require LDAP user entry objectClass=posixAccount?
Date: Wed, 8 Apr 2015 23:19:26 -0400

Unfortunately, it's not an option for us to change LDAP user schema. We have to support/use an external LDAP database where we cannot extend their schema to add objectClass=posixAccount to their existing user entries. Can we use

map passwd uidNumber employeenumber

in nslcd.conf to get around this problem? Or is there an objectclass mapping that we can set up to map objectclass=posixAccount to objectclass=inetOrgPerson?

inetOrgPerson is one of the objectClass that they use for the user entries, and employeenumber comes from inetOrgPerson.

It makes no sense to require all LDAP user entries to use objectClass=posixAccount when the users are not unix-based and posixAccount attributes like loginShell do not make sense.

What do you think? would the attribute map above work? Thanks!!

From: tgrayson@cloudera.com
Date: Wed, 8 Apr 2015 20:24:45 -0600
Subject: Re: Why does nslcd require LDAP user entry objectClass=posixAccount?
To: smqian@hotmail.com
CC: nss-pam-ldapd-users@lists.arthurdejong.org

What LDAP server are you using... pretty much all of them support extending the schema for PosixAccount, ShadownAccount and PosixGroup objectClasses.

If AD is the LDAP provider then you would look at:

https://msdn.microsoft.com/en-us/library/cc731178.aspx

If OpenLDAP it should already be available within the schema:

http://www.zytrax.com/books/ldap/ape/

On Wed, Apr 8, 2015 at 8:06 PM, Shimin <smqian [at] hotmail.com> wrote:

I am working on a project to support LDAP user authentication. I encounter this problem when configuring pam_ldap module to authenticate LDAP user where nslcd appears to require posixAccount attributes for LDAP users. Otherwise, I get errors such as: “passwd entry <xxxx> does not contain uidNumber value”.

None of my LDAP user entries has “objectClass=posixAccount”, therefore, it does not have uidNumber attribute nor gidNumber, loginShell etc. I imagine there has to be a config setting where I can get around this… I already have

filter passwd (objectClass=person)

in nslcd.conf. What else do I have to change so that nslcd won’t require posixAccount attributes like uidNumber?

I have been struggling with this for two days and I am really pulling my hair out trying to get this to work without having to add posixAccount to my user entries. Please help!!

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Todd Grayson

Customer Operations Engineering

-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Why does nslcd require LDAP user entry objectClass=posixAccount?, Shimin
- Re: Why does nslcd require LDAP user entry objectClass=posixAccount?, Todd Grayson
  - RE: Why does nslcd require LDAP user entry objectClass=posixAccount?, Shimin

Prev by Date: Re: Why does nslcd require LDAP user entry objectClass=posixAccount?
Next by Date: Re: Why does nslcd require LDAP user entry objectClass=posixAccount?
Previous by thread: Re: Why does nslcd require LDAP user entry objectClass=posixAccount?
Next by thread: Re: Why does nslcd require LDAP user entry objectClass=posixAccount?