Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Wednesday 30 April 2008 16:43, David Robillard wrote: On Wednesday 30 April 2008 11:00, O. Hartmann wrote: [ --- 8 --- SNIP! --- 8 --- ] That sounds very interesting Jonathan. Could you please share with us the complete LDIF data used to create such a user? This is live from my LDAP server: # jfm, group, hst.org.za dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za objectClass: posixGroup gidNumber: 1001 cn: jfm # jfm, people, hst.org.za dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za objectClass: inetOrgPerson objectClass: posixAccount objectClass: extensibleObject sn: McKeown cn: Jonathan McKeown uidNumber: 1001 gidNumber: 1001 mail: [EMAIL PROTECTED] loginShell: /usr/local/bin/bash host: charlotte.hst.org.za host: clare.hst.org.za uid: jfm homeDirectory: /home/jfm There is, of course, also a userPassword attribute in the user account. (You didn't expect me to show you that, did you?!) lol Well, if it's in {SSHA} format and you change a few digits here and there, that's not a security issue :) Using posixGroup, the attribute for adding additional members to a group is memberUid. There's a bit more to getting this all working: configuring slapd.conf with appropriate schemas, installing and configuring pam_ldap and nss_ldap, and setting up PAM correctly. I can go into excruciating detail if you like... Well, I'd certainly love to see how you've set things up. We could compare with what I've published on my wiki. The documentation is not finished, but it's a start. I'd really appreciate if people could check it out and tell me where the document could be enhanced, if I made any mistakes, things like that. Check it out here: http://wiki.zerocatastrophe.com/wiki/UNIX/FreeBSD/Kerberos+OpenLDAP Notice that I've updated my documentation to reflect your LDIF data as I believe it to be the very flexible. Thanks! I know that Edward Capriolo (in Cc: to this email) has also published some Kerberos OpenLDAP documentations online. Edward, care to join us here? My only irritation is that although passwd(1) in 6.3 has the code within it to allow it to be controlled by PAM, it's all currently diked out, so that you can't use passwd(1) transparently with LDAP users. (As far as I know this hasn't changed in 7.0). Indeed, that's also a problem I have. How do you go about to solve this? inetOrgPerson gives you a huge number of optional fields for other information, up to and including a JPEG photo. It inherits from organizationalPerson which inherits from person, so you need to combine all three sets of attributes to get the complete spec for inetOrgPerson (note the only MUST attributes are sn and cn from person): [ --- 8 --- SNIP! --- 8 --- ] We're hardly using any of these, but it seemed to make more sense to build it in, in case. You're right, I totally agree. Jonathan Cheers! DA+ -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Wednesday 30 April 2008 11:00, O. Hartmann wrote: O. Hartmann wrote: Jonathan Chen wrote: On Tue, Apr 29, 2008 at 10:07:44AM +, O. Hartmann wrote: Hello out there, my question may sound a bit weird, but the situation is as follows: I use OpenLDAP 2.4 for authetication purposes within our lab's net and every user's account is of the objectclass 'posixAccount'. As we know, this class does not contain the attribute 'host', which belongs to structural class 'account' and both posixAccount and account are of type structural and therefore can not be mixed. Is there really such a rule? It's true that an object can only belong to one structural class (although it can belong to many auxiliary classes). I use the auxiliary class extensibleObject, which allows you to add any attribute to an LDAP object. My user accounts have three object classes: inetOrgPerson (the structural class), posixAccount and extensibleObject. The rules for the first two are still enforced, but I am able to add the Host: attribute. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
O. Hartmann wrote: Jonathan Chen wrote: On Tue, Apr 29, 2008 at 10:07:44AM +, O. Hartmann wrote: Hello out there, my question may sound a bit weird, but the situation is as follows: I use OpenLDAP 2.4 for authetication purposes within our lab's net and every user's account is of the objectclass 'posixAccount'. As we know, this class does not contain the attribute 'host', which belongs to structural class 'account' and both posixAccount and account are of type structural and therefore can not be mixed. Is there really such a rule? There's an of examples in O'Reilly's LDAP System Administration that has a mixed account + posixAccount objectClasses for a node to implement the situation of: One User and a Group of Hosts. Well, simply try to include both structural object classes 'account' and posixAccount and you'll get a class violation - so it is here ... Oliver P.S. O'Reilly's book seems to be a little bit outdated, it reflects schemata prior to OpenLDAP 2.3 I guess and I use 2.4 by the way. I read many turoials mixin up both account and posixAccount but this isn't allowed any more with newer versions - as I understand. Sorry, I made a mistake, 'account' and 'inetOrgPerson' and 'person' collide, not 'posixAccount', so it's my fault. Oliver ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Wednesday 30 April 2008 11:00, O. Hartmann wrote: [ --- 8 --- SNIP! --- 8 --- ] It's true that an object can only belong to one structural class (although it can belong to many auxiliary classes). I use the auxiliary class extensibleObject, which allows you to add any attribute to an LDAP object. My user accounts have three object classes: inetOrgPerson (the structural class), posixAccount and extensibleObject. The rules for the first two are still enforced, but I am able to add the Host: attribute. Jonathan That sounds very interesting Jonathan. Could you please share with us the complete LDIF data used to create such a user? Something like this for example: # test.user.ldif # # Create a test user. dn: cn=test.user, ou=users, dc=domain, dc=com objectclass: top objectclass: person objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Test User sn: test.user uid: test.user userPassword: {SSHA}GmbwsRvJugoiT5NIIJ2bk+5YVfWMUVa1 uidNumber: gidNumber: gecos: Test User mail: [EMAIL PROTECTED] telephonenumber: 123 456 7890 x1234 loginShell: /usr/local/bin/bash homeDirectory: /nfs/home/test.user # Link this user to it's group. dn: cn=test, ou=groups, dc=domain, dc=com objectClass: top objectClass: posixGroup cn: test gidNumber: memberUid: test.user # EOF Many thanks, DA+ -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Wednesday 30 April 2008 16:43, David Robillard wrote: On Wednesday 30 April 2008 11:00, O. Hartmann wrote: [ --- 8 --- SNIP! --- 8 --- ] It's true that an object can only belong to one structural class (although it can belong to many auxiliary classes). I use the auxiliary class extensibleObject, which allows you to add any attribute to an LDAP object. My user accounts have three object classes: inetOrgPerson (the structural class), posixAccount and extensibleObject. The rules for the first two are still enforced, but I am able to add the Host: attribute. Jonathan That sounds very interesting Jonathan. Could you please share with us the complete LDIF data used to create such a user? This is live from my LDAP server: # jfm, group, hst.org.za dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za objectClass: posixGroup gidNumber: 1001 cn: jfm # jfm, people, hst.org.za dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za objectClass: inetOrgPerson objectClass: posixAccount objectClass: extensibleObject sn: McKeown cn: Jonathan McKeown uidNumber: 1001 gidNumber: 1001 mail: [EMAIL PROTECTED] loginShell: /usr/local/bin/bash host: charlotte.hst.org.za host: clare.hst.org.za uid: jfm homeDirectory: /home/jfm There is, of course, also a userPassword attribute in the user account. (You didn't expect me to show you that, did you?!) Using posixGroup, the attribute for adding additional members to a group is memberUid. There's a bit more to getting this all working: configuring slapd.conf with appropriate schemas, installing and configuring pam_ldap and nss_ldap, and setting up PAM correctly. I can go into excruciating detail if you like... My only irritation is that although passwd(1) in 6.3 has the code within it to allow it to be controlled by PAM, it's all currently diked out, so that you can't use passwd(1) transparently with LDAP users. (As far as I know this hasn't changed in 7.0). inetOrgPerson gives you a huge number of optional fields for other information, up to and including a JPEG photo. It inherits from organizationalPerson which inherits from person, so you need to combine all three sets of attributes to get the complete spec for inetOrgPerson (note the only MUST attributes are sn and cn from person): NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) We're hardly using any of these, but it seemed to make more sense to build it in, in case. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
On Tue, Apr 29, 2008 at 10:07:44AM +, O. Hartmann wrote: Hello out there, my question may sound a bit weird, but the situation is as follows: I use OpenLDAP 2.4 for authetication purposes within our lab's net and every user's account is of the objectclass 'posixAccount'. As we know, this class does not contain the attribute 'host', which belongs to structural class 'account' and both posixAccount and account are of type structural and therefore can not be mixed. Is there really such a rule? There's an of examples in O'Reilly's LDAP System Administration that has a mixed account + posixAccount objectClasses for a node to implement the situation of: One User and a Group of Hosts. -- Jonathan Chen [EMAIL PROTECTED] -- Vini, vidi, velcro... I came, I saw, I stuck around ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
Jonathan Chen wrote: On Tue, Apr 29, 2008 at 10:07:44AM +, O. Hartmann wrote: Hello out there, my question may sound a bit weird, but the situation is as follows: I use OpenLDAP 2.4 for authetication purposes within our lab's net and every user's account is of the objectclass 'posixAccount'. As we know, this class does not contain the attribute 'host', which belongs to structural class 'account' and both posixAccount and account are of type structural and therefore can not be mixed. Is there really such a rule? There's an of examples in O'Reilly's LDAP System Administration that has a mixed account + posixAccount objectClasses for a node to implement the situation of: One User and a Group of Hosts. Well, simply try to include both structural object classes 'account' and posixAccount and you'll get a class violation - so it is here ... Oliver P.S. O'Reilly's book seems to be a little bit outdated, it reflects schemata prior to OpenLDAP 2.3 I guess and I use 2.4 by the way. I read many turoials mixin up both account and posixAccount but this isn't allowed any more with newer versions - as I understand. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]