RE: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: "Matthew Hardin" <mhardin [at] symas.com>
To: "'Alexander Skwar'" <listen [at] alexander.skwar.name>, <nssldap [at] padl.com>
Subject: RE: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
Date: Wed, 4 Apr 2007 11:34:39 -0700

Hi Alexander,

Your question is better posted to the pam_ldap mailing list, but it makes
little difference.

You have correctly determined that the 'host' attribute is part of the
'account' object class, but since that is an object class with a different
inheritance chain, it is not possible to use with object class posixAccount.


The pam_ldap distribution from PADL includes a file called ldapns.schema
which defines an auxiliary object class hostObject. You still need to
include the schema file cosine.schema (it defines the 'host' attribute) in
slapd.conf, but by adding ldapns.schema you can add objectclass hostObject
and attribute 'host' to your user objects.

I hope this answers your question.

Cheers,

Matthew Hardin
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
http://www.symas.com

> -----Original Message-----
> From: owner-nssldap@padl.com [owner-nssldap [at] padl.com] On Behalf Of
> Alexander Skwar
> Sent: Wednesday, April 04, 2007 7:47 AM
> To: nssldap@padl.com
> Subject: [nssldap] Howto get the "host" attribute for pam_check_host_attr
> of pam_ldap?
> 
> Hello!
> 
> I'm trying to setup a OpenLDAP 2.3.31 server, which should also be used
> to authenticate Unix logins. The only client machine right now is a
> Gentoo Linux system with pam_ldap 183. My question pertains to pam_ldap -
> if this is not the correct mailing list, could you please tell me where
> I should go instead?
> 
> Here it goes...
> 
> In man pam_ldap, I find:
> 
>        pam_check_host_attr <yes|no>
>               Specifies  whether  the  "host"  attribute  should  be
> checked
>               for logon authorization ("account" in the PAM stack). The
>               default is not to.  If set to "yes" and a user has no value
> for
>               the "host" attribute,  then  the user will be unable to
> login.
> 
> So if I wish to use that feature, I should make sure, that my account
> entries have a "host" entry (or maybe don't have one, depending on what
> I want...). When I check the schema on the server using phpLDAPadmin, I
> find that the "host" attribute is defined in the "account" objectClass.
> My accounts look like this:
> 
> dn: uid=tomcat,ou=People,ou=Prj,o=Cmp
> uid: tomcat
> cn: Tomcat
> sn: Tomcat
> mail: tomcat@win.ch.da.rtr
> mailRoutingAddress: tomcat@mail1
> mailHost: mail1
> objectClass: inetLocalMailRecipient
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {crypt}LOMapg___AqIg
> shadowLastChange: 13382
> loginShell: /opt/csw/bin/bash
> uidNumber: 1052
> gidNumber: 10
> homeDirectory: /opt/apps/tomcat
> gecos: Tomcat
> 
> As you can see, there's no "account" objectClass, and the used
> objectClasses aren't derived from "account". Hence there's no "host"
> attribute available.
> 
> When I now modify this user entry and add a objectClass: account
> line for a testuser and then try to add this with ldapadd, I get
> an error message:
> 
> $ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x  -f  user-mit-account.ldif
> adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp"
> ldap_add: Internal (implementation specific) error (80)
>         additional info: no structuralObjectClass operational attribute
> 
> I suppose that's so, because the required attribute "userid" is
> not set (account requires this attribute, if I'm not mistaken).
> But even when I add this attribute, I cannot add the entry to
> my LDAP server:
> 
> $ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x  -f  user-mit-account.ldif
> adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp"
> ldap_add: Type or value exists (20)
>         additional info: attribute 'uid' provided more than once
> 
> I guess that's so, because "userid" is a synonym for "uid". Now I
> tried to remove the "uid: " line, but see:
> 
> $ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x  -f  user-mit-account.ldif
> adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp"
> ldap_add: Internal (implementation specific) error (80)
>         additional info: no structuralObjectClass operational attribute
> 
> Still no success :( I suppose the issue this time is, that
> "uid" is missing; but posixAccount requires "uid".
> 
> I don't know how to go on.
> 
> What do I have to do, to either get the "host" attribute or
> what has to be done, to be able to use "pam_check_host_attr"?
> 
> Alexander Skwar

[nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Alexander Skwar
- Message not available
  - Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Alexander Skwar
- Message not available
  - Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Alexander Skwar
- Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Roy Ledochowski
- RE: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Matthew Hardin
- Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?, Craig Squires

Prev by Date: Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
Next by Date: Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
Previous by thread: Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?
Next by thread: Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?