From owner-freebsd-questions@FreeBSD.ORG Thu May 1 15:49:16 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 256CA1065680 for ; Thu, 1 May 2008 15:49:16 +0000 (UTC) (envelope-from david.robillard@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.227]) by mx1.freebsd.org (Postfix) with ESMTP id EAF028FC1B for ; Thu, 1 May 2008 15:49:15 +0000 (UTC) (envelope-from david.robillard@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so629978rvf.43 for ; Thu, 01 May 2008 08:49:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; bh=MvQDKfSx19XUCUF3pByVpNMaoHoQ9ZJB/0dDwuWzOkA=; b=o1u4hZjJyVVkEawWu8s70AyWLydvJg5mpeuxbNbhSM49Q1qmGxC67REmsx7CGx4ae3z6JpUtRqUhcbswt34AIDuOSWty8QCHKDDIRT1Tq+Gjg1YvJik2AH8NN3vX7m7Kja6Uj3tuBBaIrj15KNZmQCleD1TcwF7ZfylPEpEE+PA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=QJyeJPQXwohEpBttFelP+kst09u/4/lK8Kb8X6LM+yu/gVxbY2n6mp3iZlt4Cxgfc3s0n39sHajM1mpHK7CQ3hKVni+YpG8TviHXvJ01VlKXTqjN4kmvPSjMQ0RDcLOJC8kAzOgyEgvJm3QW7mbBK2Qcugte79f71YcHxOyIiNk= Received: by 10.141.137.16 with SMTP id p16mr889503rvn.192.1209656955412; Thu, 01 May 2008 08:49:15 -0700 (PDT) Received: by 10.140.126.11 with HTTP; Thu, 1 May 2008 08:49:15 -0700 (PDT) Message-ID: <226ae0c60805010849j796f682cjea77773ca7aa3049@mail.gmail.com> Date: Thu, 1 May 2008 11:49:15 -0400 From: "David Robillard" To: "FreeBSD Questions" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Edward Capriolo , Jonathan McKeown Subject: Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2008 15:49:16 -0000 > On Wednesday 30 April 2008 16:43, David Robillard wrote: > > > On Wednesday 30 April 2008 11:00, O. Hartmann wrote: > > > > [ --- 8< --- SNIP! --- 8< --- ] > > > > That sounds very interesting Jonathan. Could you please share with us > > the complete LDIF data used to create such a user? > > This is live from my LDAP server: > > # jfm, group, hst.org.za > dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za > objectClass: posixGroup > gidNumber: 1001 > cn: jfm > > # jfm, people, hst.org.za > dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: extensibleObject > sn: McKeown > cn: Jonathan McKeown > uidNumber: 1001 > gidNumber: 1001 > mail: jonathan@hst.org.za > loginShell: /usr/local/bin/bash > host: charlotte.hst.org.za > host: clare.hst.org.za > uid: jfm > homeDirectory: /home/jfm > > There is, of course, also a userPassword attribute in the user account. (You > didn't expect me to show you that, did you?!) lol Well, if it's in {SSHA} format and you change a few digits here and there, that's not a security issue :) > Using posixGroup, the attribute for adding additional members to a group is memberUid. > > There's a bit more to getting this all working: configuring slapd.conf with > appropriate schemas, installing and configuring pam_ldap and nss_ldap, and > setting up PAM correctly. I can go into excruciating detail if you like... Well, I'd certainly love to see how you've set things up. We could compare with what I've published on my wiki. The documentation is not finished, but it's a start. I'd really appreciate if people could check it out and tell me where the document could be enhanced, if I made any mistakes, things like that. Check it out here: http://wiki.zerocatastrophe.com/wiki/UNIX/FreeBSD/Kerberos+OpenLDAP Notice that I've updated my documentation to reflect your LDIF data as I believe it to be the very flexible. Thanks! I know that Edward Capriolo (in Cc: to this email) has also published some Kerberos & OpenLDAP documentations online. Edward, care to join us here? > My only irritation is that although passwd(1) in 6.3 has the code within it to > allow it to be controlled by PAM, it's all currently diked out, so that you > can't use passwd(1) transparently with LDAP users. (As far as I know this > hasn't changed in 7.0). Indeed, that's also a problem I have. How do you go about to solve this? > inetOrgPerson gives you a huge number of optional fields for other > information, up to and including a JPEG photo. It inherits from > organizationalPerson which inherits from person, so you need to combine all > three sets of attributes to get the complete spec for inetOrgPerson (note the > only MUST attributes are sn and cn from person): > > [ --- 8< --- SNIP! --- 8< --- ] > > We're hardly using any of these, but it seemed to make more sense to build it > in, in case. You're right, I totally agree. > Jonathan Cheers! DA+ -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122