[nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
- From: Alexander Skwar <listen [at] alexander.skwar.name>
- To: nssldap [at] padl.com
- Subject: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
- Date: Wed, 04 Apr 2007 16:46:48 +0200
Hello!
I'm trying to setup a OpenLDAP 2.3.31 server, which should also be used
to authenticate Unix logins. The only client machine right now is a 
Gentoo Linux system with pam_ldap 183. My question pertains to pam_ldap -
if this is not the correct mailing list, could you please tell me where
I should go instead?
Here it goes...
In man pam_ldap, I find:
       pam_check_host_attr <yes|no>
              Specifies  whether  the  "host"  attribute  should  be checked 
              for logon authorization ("account" in the PAM stack). The 
              default is not to.  If set to "yes" and a user has no value for
              the "host" attribute,  then  the user will be unable to login.
So if I wish to use that feature, I should make sure, that my account
entries have a "host" entry (or maybe don't have one, depending on what
I want...). When I check the schema on the server using phpLDAPadmin, I
find that the "host" attribute is defined in the "account" objectClass.
My accounts look like this:
dn: uid=tomcat,ou=People,ou=Prj,o=Cmp
uid: tomcat
cn: Tomcat
sn: Tomcat
mail: tomcat@win.ch.da.rtr
mailRoutingAddress: tomcat@mail1
mailHost: mail1
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}LOMapg___AqIg
shadowLastChange: 13382
loginShell: /opt/csw/bin/bash
uidNumber: 1052
gidNumber: 10
homeDirectory: /opt/apps/tomcat
gecos: Tomcat
As you can see, there's no "account" objectClass, and the used 
objectClasses aren't derived from "account". Hence there's no "host"
attribute available.
When I now modify this user entry and add a objectClass: account
line for a testuser and then try to add this with ldapadd, I get
an error message:
$ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x  -f  user-mit-account.ldif 
adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp"
ldap_add: Internal (implementation specific) error (80)
        additional info: no structuralObjectClass operational attribute
I suppose that's so, because the required attribute "userid" is
not set (account requires this attribute, if I'm not mistaken).
But even when I add this attribute, I cannot add the entry to
my LDAP server:
$ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x  -f  user-mit-account.ldif 
adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp"
ldap_add: Type or value exists (20)
        additional info: attribute 'uid' provided more than once
I guess that's so, because "userid" is a synonym for "uid". Now I
tried to remove the "uid: " line, but see:
$ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x  -f  user-mit-account.ldif 
adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp"
ldap_add: Internal (implementation specific) error (80)
        additional info: no structuralObjectClass operational attribute
Still no success :( I suppose the issue this time is, that
"uid" is missing; but posixAccount requires "uid".
I don't know how to go on.
What do I have to do, to either get the "host" attribute or
what has to be done, to be able to use "pam_check_host_attr"?
Alexander Skwar
- [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?,
Alexander Skwar