Re: Why does nslcd require LDAP user entry objectClass=posixAccount?

[Todd Grayson <tgrayson [at] cloudera.com>]

Well the thing is you might already have the schema present is the point...  Try ldapmodify of a user entry and append the PosixAccount objectclass as a test if its available.  You will get a DSA unwilling to perform error if its not available... (I believe, might be a different error code)..

As far as PamLDAP is concerned the list will have to speak to that, I'm not sure if the PAM_LDAP will map to alternative attribute values, you might have to look at sssd for that kind of capability...

On Wed, Apr 8, 2015 at 9:19 PM, Shimin <smqian [at] hotmail.com> wrote:

Unfortunately, it's not an option for us to change LDAP user schema.  We have to support/use an external LDAP database where we cannot extend their schema to add objectClass=posixAccount to their existing user entries.   Can we use

map passwd uidNumber employeenumber

in nslcd.conf to get around this problem?  Or is there an objectclass mapping that we can set up to map objectclass=posixAccount to objectclass=inetOrgPerson?

inetOrgPerson is one of the objectClass that they use for the user entries, and employeenumber comes from inetOrgPerson.

It makes no sense to require all LDAP user entries to use objectClass=posixAccount when the users are not unix-based and posixAccount attributes like loginShell do not make sense.

What do you think? would the attribute map above work?  Thanks!!

---

From: tgrayson [at] cloudera.com
Date: Wed, 8 Apr 2015 20:24:45 -0600
Subject: Re: Why does nslcd require LDAP user entry objectClass=posixAccount?
To: smqian [at] hotmail.com
CC: nss-pam-ldapd-users [at] lists.arthurdejong.org

What LDAP server are you using... pretty much all of them support extending the schema for PosixAccount, ShadownAccount and PosixGroup objectClasses. 

If AD is the LDAP provider then you would look at: 

https://msdn.microsoft.com/en-us/library/cc731178.aspx

If OpenLDAP it should already be available within the schema:

http://www.zytrax.com/books/ldap/ape/

On Wed, Apr 8, 2015 at 8:06 PM, Shimin <smqian [at] hotmail.com> wrote:

I am working on a project to support LDAP user authentication.  I encounter this problem when configuring pam_ldap module  to authenticate LDAP user where nslcd appears to require posixAccount attributes for LDAP users.  Otherwise, I get errors such as: “passwd entry <xxxx> does not contain uidNumber value”. 

 

None of my LDAP user entries has “objectClass=posixAccount”, therefore, it does not have uidNumber attribute nor gidNumber, loginShell etc.   I imagine there has to be a config setting where I can get around this…  I already have

 

filter passwd (objectClass=person)

 

in nslcd.conf.  What else do I have to change so that nslcd won’t require posixAccount attributes like uidNumber?

 

I have been struggling with this for two days and I am really pulling my hair out trying to get this to work without having to add posixAccount to my user entries.  Please help!!  

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

--

Todd Grayson

Customer Operations Engineering

-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/

--

Todd Grayson

Customer Operations Engineering

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/