From owner-freebsd-questions@FreeBSD.ORG Wed Apr 30 21:51:36 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C18D91065671 for ; Wed, 30 Apr 2008 21:51:36 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from hermes.hst.org.za (onix.hst.org.za [209.203.2.133]) by mx1.freebsd.org (Postfix) with ESMTP id CA24B8FC1D for ; Wed, 30 Apr 2008 21:51:34 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from [10.1.11.1] ([10.1.11.1]) (authenticated bits=0) by hermes.hst.org.za (8.13.8/8.13.8) with ESMTP id m3ULoTD3051746 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 30 Apr 2008 23:50:30 +0200 (SAST) (envelope-from jonathan+freebsd-questions@hst.org.za) From: Jonathan McKeown Organization: Health Systems Trust To: freebsd-questions@freebsd.org Date: Wed, 30 Apr 2008 23:52:01 +0200 User-Agent: KMail/1.9.4 References: <226ae0c60804300743x3d92cb28lbff81cf37b49df65@mail.gmail.com> In-Reply-To: <226ae0c60804300743x3d92cb28lbff81cf37b49df65@mail.gmail.com> X-Face: $@VrUx^RHy/}yu]jKf/<4T%/d|F+$j-Ol2"2J$q+%OK1]&/G_S9(=?utf-8?q?HkaQ*=60!=3FYOK=3FY!=27M=60C=0A=09aP=5C9nVPF8Q=7DCilHH8l=3B=7E!4?= =?utf-8?q?2HK6=273lg4J=7Daz?=@1Dqqh:J]M^"YPn*2IWrZON$1+G?oX3@ =?utf-8?q?k=230=0A=0954XDRg=3DYn=5FF-etwot4U=24b?=dTS{i X-Spam-Score: -4.368 () ALL_TRUSTED,AWL,BAYES_00 X-Scanned-By: MIMEDefang 2.61 on 209.203.2.133 Subject: Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2008 21:51:36 -0000 On Wednesday 30 April 2008 16:43, David Robillard wrote: > > On Wednesday 30 April 2008 11:00, O. Hartmann wrote: > > [ --- 8< --- SNIP! --- 8< --- ] > > > It's true that an object can only belong to one structural class > > (although it can belong to many auxiliary classes). > > > > I use the auxiliary class extensibleObject, which allows you to add any > > attribute to an LDAP object. My user accounts have three object classes: > > inetOrgPerson (the structural class), posixAccount and extensibleObject. > > The rules for the first two are still enforced, but I am able to add the > > Host: attribute. > > > > Jonathan > > That sounds very interesting Jonathan. Could you please share with us > the complete LDIF data used to create such a user? This is live from my LDAP server: # jfm, group, hst.org.za dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za objectClass: posixGroup gidNumber: 1001 cn: jfm # jfm, people, hst.org.za dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za objectClass: inetOrgPerson objectClass: posixAccount objectClass: extensibleObject sn: McKeown cn: Jonathan McKeown uidNumber: 1001 gidNumber: 1001 mail: jonathan@hst.org.za loginShell: /usr/local/bin/bash host: charlotte.hst.org.za host: clare.hst.org.za uid: jfm homeDirectory: /home/jfm There is, of course, also a userPassword attribute in the user account. (You didn't expect me to show you that, did you?!) Using posixGroup, the attribute for adding additional members to a group is memberUid. There's a bit more to getting this all working: configuring slapd.conf with appropriate schemas, installing and configuring pam_ldap and nss_ldap, and setting up PAM correctly. I can go into excruciating detail if you like... My only irritation is that although passwd(1) in 6.3 has the code within it to allow it to be controlled by PAM, it's all currently diked out, so that you can't use passwd(1) transparently with LDAP users. (As far as I know this hasn't changed in 7.0). inetOrgPerson gives you a huge number of optional fields for other information, up to and including a JPEG photo. It inherits from organizationalPerson which inherits from person, so you need to combine all three sets of attributes to get the complete spec for inetOrgPerson (note the only MUST attributes are sn and cn from person): NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) We're hardly using any of these, but it seemed to make more sense to build it in, in case. Jonathan