Re: [nssldap] Howto get the "host" attribute for pam_check_host_attr of pam_ldap?

[Craig Squires <csquires [at] cs.mun.ca>]

That's pretty awkward... What I've done in the past is to create
my own AUXILIARY object class and cut and past the offending
attribute into that (had to do it for some password related stuff
at one point). To do that, you will have to set up your own OID
(for your object class, etc.), and you should probably not use the
existing OID for the attribute. Just generate one of your own.

Craig

.....................................................................
$Id: candcsysadmin,v 1.0 Thu Apr  5 08:42:08 2007 Craig Squires Exp $

On Wed, 4 Apr 2007, Alexander Skwar wrote:

> Hello!
> 
> I'm trying to setup a OpenLDAP 2.3.31 server, which should also be used
> to authenticate Unix logins. The only client machine right now is a 
> Gentoo Linux system with pam_ldap 183. My question pertains to pam_ldap -
> if this is not the correct mailing list, could you please tell me where
> I should go instead?
> 
> Here it goes...
> 
> In man pam_ldap, I find:
> 
> Â  Â  Â  Â pam_check_host_attr <yes|no>
>               Specifies  whether  the  "host"  attribute  should 
> Â be checked 
> Â  Â  Â  Â  Â  Â  Â  for logon authorization ("account" in the PAM stack). 
> The 
> Â  Â  Â  Â  Â  Â  Â  default is not to. Â If set to "yes" and a user has no 
> value for
>               the "host" attribute,  then  the user will be unable 
> to login.
> 
> So if I wish to use that feature, I should make sure, that my account
> entries have a "host" entry (or maybe don't have one, depending on what
> I want...). When I check the schema on the server using phpLDAPadmin, I
> find that the "host" attribute is defined in the "account" objectClass.
> My accounts look like this:
> 
> dn: uid=tomcat,ou=People,ou=Prj,o=Cmp
> uid: tomcat
> cn: Tomcat
> sn: Tomcat
> mail: tomcat@win.ch.da.rtr
> mailRoutingAddress: tomcat@mail1
> mailHost: mail1
> objectClass: inetLocalMailRecipient
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {crypt}LOMapg___AqIg
> shadowLastChange: 13382
> loginShell: /opt/csw/bin/bash
> uidNumber: 1052
> gidNumber: 10
> homeDirectory: /opt/apps/tomcat
> gecos: Tomcat
> 
> As you can see, there's no "account" objectClass, and the used 
> objectClasses aren't derived from "account". Hence there's no "host"
> attribute available.
> 
> When I now modify this user entry and add a objectClass: account
> line for a testuser and then try to add this with ldapadd, I get
> an error message:
> 
> $ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x  -f  user-mit-account.ldif 
> adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp"
> ldap_add: Internal (implementation specific) error (80)
> Â  Â  Â  Â  additional info: no structuralObjectClass operational attribute
> 
> I suppose that's so, because the required attribute "userid" is
> not set (account requires this attribute, if I'm not mistaken).
> But even when I add this attribute, I cannot add the entry to
> my LDAP server:
> 
> $ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x  -f  user-mit-account.ldif 
> adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp"
> ldap_add: Type or value exists (20)
> Â  Â  Â  Â  additional info: attribute 'uid' provided more than once
> 
> I guess that's so, because "userid" is a synonym for "uid". Now I
> tried to remove the "uid: " line, but see:
> 
> $ ldapadd -D cn=Admin,ou=Prj,o=Cmp -W -x  -f  user-mit-account.ldif 
> adding new entry "uid=tomcat42,ou=People,ou=Prj,o=Cmp"
> ldap_add: Internal (implementation specific) error (80)
> Â  Â  Â  Â  additional info: no structuralObjectClass operational attribute
> 
> Still no success :( I suppose the issue this time is, that
> "uid" is missing; but posixAccount requires "uid".
> 
> I don't know how to go on.
> 
> What do I have to do, to either get the "host" attribute or
> what has to be done, to be able to use "pam_check_host_attr"?
> 
> Alexander Skwar
>