Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Roy Ledochowski <rledo [at] us.ibm.com>
To: Alexander Skwar <listen [at] alexander.skwar.name>
Cc: nssldap [at] padl.com, owner-nssldap [at] padl.com
Subject: Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
Date: Wed, 4 Apr 2007 11:37:30 -0700

Hi Alex--

You have to define a objectclass with the host attribute and add that new objectclass to your user objects. For example,

objectclass ( 1.3.6.1.4.1.22082.2.1.1002 NAME 'wpcLabAccess' SUP top AUXILIARY
DESC 'WPC lab access oc'
MAY ( host $ twikiLogin) )

Then the objectclass for your user objects would be
dn: uid=tomcat,ou=People,ou=Prj,o=Cmp uid: tomcat cn: Tomcat sn: Tomcat mail: tomcat@win.ch.da.rtr mailRoutingAddress: tomcat@mail1 mailHost: mail1 objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount
<----objectClass: wpcLabAccess ----------> userPassword: {crypt}LOMapg___AqIg shadowLastChange: 13382 loginShell: /opt/csw/bin/bash uidNumber: 1052 gidNumber: 10 homeDirectory: /opt/apps/tomcat gecos: Tomcat
<----host: myhost1 ---------->
<----host: myhost2 ---------->

Notice that the host attribute is multi-valued, meaning that you will have a host value for each system instead of a single value with hostnames separated by spaces or commas. Also, '*' is the wildcard, meaning that if you have host=*, it will be match every system.

Hope that helps,
roy

Alexander Skwar <listen@alexander.skwar.name>
Sent by: owner-nssldap@padl.com

04/04/2007 07:46 AM

To	nssldap@padl.com
cc
Subject	[nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?

Hello! I'm trying to setup a OpenLDAP 2.3.31 server, which should also be used to authenticate Unix logins. The only client machine right now is a Gentoo Linux system with pam_ldap 183. My question pertains to pam_ldap - if this is not the correct mailing list, could you please tell me where I should go instead? Here it goes... In man pam_ldap, I find: pam_check_host_attr <yes|no> Specifies whether the "host" attribute should be checked for logon authorization ("account" in the PAM stack). The default is not to. If set to "yes" and a user has no value for the "host" attribute, then the user will be unable to login. So if I wish to use that feature, I should make sure, that my account entries have a "host" entry (or maybe don't have one, depending on what I want...). When I check the schema on the server using phpLDAPadmin, I find that the "host" attribute is defined in the "account" objectClass. My accounts look like this: dn: uid=tomcat,ou=People,ou=Prj,o=Cmp uid: tomcat cn: Tomcat sn: Tomcat mail: tomcat@win.ch.da.rtr mailRoutingAddress: tomcat@mail1 mailHost: mail1 objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}LOMapg___AqIg shadowLastChange: 13382 loginShell: /opt/csw/bin/bash uidNumber: 1052 gidNumber: 10 homeDirectory: /opt/apps/tomcat gecos: Tomcat As you can see, there's no "account" objectClass, and the used objectClasses aren't derived from "account". Hence there's no "host" attribute available. When I now modify this user entry and add a objectClass: account line for a testuser and then try to add this with ldapadd, I get an error message: $ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x -f user-mit-account.ldif adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp" ldap_add: Internal (implementation specific) error (80) additional info: no structuralObjectClass operational attribute I suppose that's so, because the required attribute "userid" is not set (account requires this attribute, if I'm not mistaken). But even when I add this attribute, I cannot add the entry to my LDAP server: $ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x -f user-mit-account.ldif adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp" ldap_add: Type or value exists (20) additional info: attribute 'uid' provided more than once I guess that's so, because "userid" is a synonym for "uid". Now I tried to remove the "uid: " line, but see: $ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x -f user-mit-account.ldif adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp" ldap_add: Internal (implementation specific) error (80) additional info: no structuralObjectClass operational attribute Still no success :( I suppose the issue this time is, that "uid" is missing; but posixAccount requires "uid". I don't know how to go on. What do I have to do, to either get the "host" attribute or what has to be done, to be able to use "pam_check_host_attr"? Alexander Skwar

[nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Alexander Skwar
- Message not available
  - Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Alexander Skwar
- Message not available
  - Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Alexander Skwar
- Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Roy Ledochowski
- RE: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Matthew Hardin
  - Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Alexander Skwar
- Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Craig Squires

Prev by Date: Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
Next by Date: RE: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
Previous by thread: Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
Next by thread: RE: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?