From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 29 10:30:39 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 22D63106566C
	for <freebsd-questions@freebsd.org>;
	Tue, 29 Apr 2008 10:30:39 +0000 (UTC)
	(envelope-from ohartman@zedat.fu-berlin.de)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de
	[130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id D0B038FC1A
	for <freebsd-questions@freebsd.org>;
	Tue, 29 Apr 2008 10:30:38 +0000 (UTC)
	(envelope-from ohartman@zedat.fu-berlin.de)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69])
	by outpost1.zedat.fu-berlin.de (Exim 4.69)
	for freebsd-questions@freebsd.org with esmtp
	(envelope-from <ohartman@zedat.fu-berlin.de>)
	id <1Jqmkt-00076T-2y>; Tue, 29 Apr 2008 12:08:11 +0200
Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198])
	by inpost2.zedat.fu-berlin.de (Exim 4.69)
	for freebsd-questions@freebsd.org with esmtpsa
	(envelope-from <ohartman@zedat.fu-berlin.de>)
	id <1Jqmkt-0001j5-22>; Tue, 29 Apr 2008 12:08:11 +0200
Message-ID: <4816F370.6070706@zedat.fu-berlin.de>
Date: Tue, 29 Apr 2008 10:07:44 +0000
From: "O. Hartmann" <ohartman@zedat.fu-berlin.de>
Organization: Freie =?ISO-8859-15?Q?Universit=E4t_Berlin?=
User-Agent: Thunderbird 2.0.0.12 (X11/20080422)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: 130.133.86.198
Subject: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL
 account?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2008 10:30:39 -0000

Hello out there,
my question may sound a bit weird, but the situation is as follows:

I use OpenLDAP 2.4 for authetication purposes within our lab's net and 
every user's account is of the objectclass 'posixAccount'. As we know, 
this class does not contain the attribute 'host', which belongs to 
structural class 'account' and both posixAccount and account  are of 
type structural and therefore can not be mixed.

For some first steps in host-based and LDAP-backed up logins I need to 
allow logins on several machines by looking at the host (I use PAM for 
both authtentication and accounting).

Looking at /usr/local/etc/nss_ldap.conf (or simply ldap.conf) I find a tag

pam_check_host_attr yes

to be set when we want to use host based logins. But this does not work 
due to the above mentioned reasons.

Is there a elegant workaround for this situation?

Thanks in advance,
Oliver

--