From owner-freebsd-questions@FreeBSD.ORG Mon Nov 17 15:27:52 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C55621065670 for ; Mon, 17 Nov 2008 15:27:52 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from hermes.hst.org.za (onix.hst.org.za [209.203.2.133]) by mx1.freebsd.org (Postfix) with ESMTP id F04F18FC17 for ; Mon, 17 Nov 2008 15:27:51 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from [10.1.11.1] ([10.1.11.1]) (authenticated bits=0) by hermes.hst.org.za (8.13.8/8.13.8) with ESMTP id mAHFGvjS046157 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 17 Nov 2008 17:16:58 +0200 (SAST) (envelope-from jonathan+freebsd-questions@hst.org.za) From: Jonathan McKeown To: freebsd-questions@freebsd.org Date: Mon, 17 Nov 2008 17:31:24 +0200 User-Agent: KMail/1.9.4 References: <491D6FF9.20208@zedat.fu-berlin.de> In-Reply-To: <491D6FF9.20208@zedat.fu-berlin.de> X-Face: $@VrUx^RHy/}yu]jKf/<4T%/d|F+$j-Ol2"2J$q+%OK1]&/G_S9(=?utf-8?q?HkaQ*=60!=3FYOK=3FY!=27M=60C=0A=09aP=5C9nVPF8Q=7DCilHH8l=3B=7E!4?= =?utf-8?q?2HK6=273lg4J=7Daz?=@1Dqqh:J]M^"YPn*2IWrZON$1+G?oX3@ =?utf-8?q?k=230=0A=0954XDRg=3DYn=5FF-etwot4U=24b?=dTS{i X-Spam-Score: -4.399 () ALL_TRUSTED,BAYES_00 X-Scanned-By: MIMEDefang 2.61 on 209.203.2.133 Subject: Re: host based authetication with OpenLDAP and FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2008 15:27:52 -0000 On Friday 14 November 2008 14:32, O. Hartmann wrote: > Hello, > I have a OT question and maybe some of the FreeBSD server admins here > can help me out. [snip] > Having nss_ldap and pam_ldap installed on every single FreeBSD > server/box which is capable of being accessed I found in etc/ldap.conf > the tags 'pam_filter' and 'pam_check_host_attr'. Setting latter to > 'yes' implies having the 'host' attribute in each user's object located > in OpenLDAP's DIT for the specific domain. But objectClass=account seems > to conflict with objectClass=organizationalPeople which is a must in our > configuration, so the host attribute is not of any further investigation. Did you not like the answer I gave you in April when you asked essentially the same question? http://lists.freebsd.org/pipermail/freebsd-questions/2008-April/174152.html For posterity (again) the extensibleObject auxiliary objectClass was introduced for precisely this reason - so that you could add any attribute the server knows about to an existing object which otherwise couldn't hold it.