Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Wednesday 30 April 2008 16:43, David Robillard wrote:
On Wednesday 30 April 2008 11:00, O. Hartmann wrote:
[ --- 8 --- SNIP! --- 8 --- ]
That sounds very interesting Jonathan. Could you please share with us
the complete LDIF data used to create such a user?
This is live from my LDAP server:
# jfm, group, hst.org.za
dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za
objectClass: posixGroup
gidNumber: 1001
cn: jfm
# jfm, people, hst.org.za
dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: extensibleObject
sn: McKeown
cn: Jonathan McKeown
uidNumber: 1001
gidNumber: 1001
mail: [EMAIL PROTECTED]
loginShell: /usr/local/bin/bash
host: charlotte.hst.org.za
host: clare.hst.org.za
uid: jfm
homeDirectory: /home/jfm
There is, of course, also a userPassword attribute in the user account. (You
didn't expect me to show you that, did you?!)
lol Well, if it's in {SSHA} format and you change a few digits here
and there, that's not a security issue :)
Using posixGroup, the attribute for adding additional members to a group is
memberUid.
There's a bit more to getting this all working: configuring slapd.conf with
appropriate schemas, installing and configuring pam_ldap and nss_ldap, and
setting up PAM correctly. I can go into excruciating detail if you like...
Well, I'd certainly love to see how you've set things up. We could
compare with what I've published on my wiki. The documentation is not
finished, but it's a start. I'd really appreciate if people could
check it out and tell me where the document could be enhanced, if I
made any mistakes, things like that. Check it out here:
http://wiki.zerocatastrophe.com/wiki/UNIX/FreeBSD/Kerberos+OpenLDAP
Notice that I've updated my documentation to reflect your LDIF data as
I believe it to be the very flexible. Thanks!
I know that Edward Capriolo (in Cc: to this email) has also published
some Kerberos OpenLDAP documentations online. Edward, care to join
us here?
My only irritation is that although passwd(1) in 6.3 has the code within it to
allow it to be controlled by PAM, it's all currently diked out, so that you
can't use passwd(1) transparently with LDAP users. (As far as I know this
hasn't changed in 7.0).
Indeed, that's also a problem I have. How do you go about to solve this?
inetOrgPerson gives you a huge number of optional fields for other
information, up to and including a JPEG photo. It inherits from
organizationalPerson which inherits from person, so you need to combine all
three sets of attributes to get the complete spec for inetOrgPerson (note the
only MUST attributes are sn and cn from person):
[ --- 8 --- SNIP! --- 8 --- ]
We're hardly using any of these, but it seemed to make more sense to build it
in, in case.
You're right, I totally agree.
Jonathan
Cheers!
DA+
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Wednesday 30 April 2008 11:00, O. Hartmann wrote: O. Hartmann wrote: Jonathan Chen wrote: On Tue, Apr 29, 2008 at 10:07:44AM +, O. Hartmann wrote: Hello out there, my question may sound a bit weird, but the situation is as follows: I use OpenLDAP 2.4 for authetication purposes within our lab's net and every user's account is of the objectclass 'posixAccount'. As we know, this class does not contain the attribute 'host', which belongs to structural class 'account' and both posixAccount and account are of type structural and therefore can not be mixed. Is there really such a rule? It's true that an object can only belong to one structural class (although it can belong to many auxiliary classes). I use the auxiliary class extensibleObject, which allows you to add any attribute to an LDAP object. My user accounts have three object classes: inetOrgPerson (the structural class), posixAccount and extensibleObject. The rules for the first two are still enforced, but I am able to add the Host: attribute. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
O. Hartmann wrote: Jonathan Chen wrote: On Tue, Apr 29, 2008 at 10:07:44AM +, O. Hartmann wrote: Hello out there, my question may sound a bit weird, but the situation is as follows: I use OpenLDAP 2.4 for authetication purposes within our lab's net and every user's account is of the objectclass 'posixAccount'. As we know, this class does not contain the attribute 'host', which belongs to structural class 'account' and both posixAccount and account are of type structural and therefore can not be mixed. Is there really such a rule? There's an of examples in O'Reilly's LDAP System Administration that has a mixed account + posixAccount objectClasses for a node to implement the situation of: One User and a Group of Hosts. Well, simply try to include both structural object classes 'account' and posixAccount and you'll get a class violation - so it is here ... Oliver P.S. O'Reilly's book seems to be a little bit outdated, it reflects schemata prior to OpenLDAP 2.3 I guess and I use 2.4 by the way. I read many turoials mixin up both account and posixAccount but this isn't allowed any more with newer versions - as I understand. Sorry, I made a mistake, 'account' and 'inetOrgPerson' and 'person' collide, not 'posixAccount', so it's my fault. Oliver ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Wednesday 30 April 2008 11:00, O. Hartmann wrote:
[ --- 8 --- SNIP! --- 8 --- ]
It's true that an object can only belong to one structural class (although it
can belong to many auxiliary classes).
I use the auxiliary class extensibleObject, which allows you to add any
attribute to an LDAP object. My user accounts have three object classes:
inetOrgPerson (the structural class), posixAccount and extensibleObject. The
rules for the first two are still enforced, but I am able to add the Host:
attribute.
Jonathan
That sounds very interesting Jonathan. Could you please share with us
the complete LDIF data used to create such a user?
Something like this for example:
# test.user.ldif
#
# Create a test user.
dn: cn=test.user, ou=users, dc=domain, dc=com
objectclass: top
objectclass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Test User
sn: test.user
uid: test.user
userPassword: {SSHA}GmbwsRvJugoiT5NIIJ2bk+5YVfWMUVa1
uidNumber:
gidNumber:
gecos: Test User
mail: [EMAIL PROTECTED]
telephonenumber: 123 456 7890 x1234
loginShell: /usr/local/bin/bash
homeDirectory: /nfs/home/test.user
# Link this user to it's group.
dn: cn=test, ou=groups, dc=domain, dc=com
objectClass: top
objectClass: posixGroup
cn: test
gidNumber:
memberUid: test.user
# EOF
Many thanks,
DA+
--
David Robillard
UNIX systems administrator Oracle DBA
CISSP, RHCE Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Wednesday 30 April 2008 16:43, David Robillard wrote: On Wednesday 30 April 2008 11:00, O. Hartmann wrote: [ --- 8 --- SNIP! --- 8 --- ] It's true that an object can only belong to one structural class (although it can belong to many auxiliary classes). I use the auxiliary class extensibleObject, which allows you to add any attribute to an LDAP object. My user accounts have three object classes: inetOrgPerson (the structural class), posixAccount and extensibleObject. The rules for the first two are still enforced, but I am able to add the Host: attribute. Jonathan That sounds very interesting Jonathan. Could you please share with us the complete LDIF data used to create such a user? This is live from my LDAP server: # jfm, group, hst.org.za dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za objectClass: posixGroup gidNumber: 1001 cn: jfm # jfm, people, hst.org.za dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za objectClass: inetOrgPerson objectClass: posixAccount objectClass: extensibleObject sn: McKeown cn: Jonathan McKeown uidNumber: 1001 gidNumber: 1001 mail: [EMAIL PROTECTED] loginShell: /usr/local/bin/bash host: charlotte.hst.org.za host: clare.hst.org.za uid: jfm homeDirectory: /home/jfm There is, of course, also a userPassword attribute in the user account. (You didn't expect me to show you that, did you?!) Using posixGroup, the attribute for adding additional members to a group is memberUid. There's a bit more to getting this all working: configuring slapd.conf with appropriate schemas, installing and configuring pam_ldap and nss_ldap, and setting up PAM correctly. I can go into excruciating detail if you like... My only irritation is that although passwd(1) in 6.3 has the code within it to allow it to be controlled by PAM, it's all currently diked out, so that you can't use passwd(1) transparently with LDAP users. (As far as I know this hasn't changed in 7.0). inetOrgPerson gives you a huge number of optional fields for other information, up to and including a JPEG photo. It inherits from organizationalPerson which inherits from person, so you need to combine all three sets of attributes to get the complete spec for inetOrgPerson (note the only MUST attributes are sn and cn from person): NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) We're hardly using any of these, but it seemed to make more sense to build it in, in case. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Tue, Apr 29, 2008 at 10:07:44AM +, O. Hartmann wrote: Hello out there, my question may sound a bit weird, but the situation is as follows: I use OpenLDAP 2.4 for authetication purposes within our lab's net and every user's account is of the objectclass 'posixAccount'. As we know, this class does not contain the attribute 'host', which belongs to structural class 'account' and both posixAccount and account are of type structural and therefore can not be mixed. Is there really such a rule? There's an of examples in O'Reilly's LDAP System Administration that has a mixed account + posixAccount objectClasses for a node to implement the situation of: One User and a Group of Hosts. -- Jonathan Chen [EMAIL PROTECTED] -- Vini, vidi, velcro... I came, I saw, I stuck around ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
Jonathan Chen wrote: On Tue, Apr 29, 2008 at 10:07:44AM +, O. Hartmann wrote: Hello out there, my question may sound a bit weird, but the situation is as follows: I use OpenLDAP 2.4 for authetication purposes within our lab's net and every user's account is of the objectclass 'posixAccount'. As we know, this class does not contain the attribute 'host', which belongs to structural class 'account' and both posixAccount and account are of type structural and therefore can not be mixed. Is there really such a rule? There's an of examples in O'Reilly's LDAP System Administration that has a mixed account + posixAccount objectClasses for a node to implement the situation of: One User and a Group of Hosts. Well, simply try to include both structural object classes 'account' and posixAccount and you'll get a class violation - so it is here ... Oliver P.S. O'Reilly's book seems to be a little bit outdated, it reflects schemata prior to OpenLDAP 2.3 I guess and I use 2.4 by the way. I read many turoials mixin up both account and posixAccount but this isn't allowed any more with newer versions - as I understand. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
