Date: Wed, 30 Apr 2008 23:52:01 +0200 From: Jonathan McKeown <jonathan+freebsd-questions@hst.org.za> To: freebsd-questions@freebsd.org Subject: Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account? Message-ID: <200804302352.01337.jonathan%2Bfreebsd-questions@hst.org.za> In-Reply-To: <226ae0c60804300743x3d92cb28lbff81cf37b49df65@mail.gmail.com> References: <226ae0c60804300743x3d92cb28lbff81cf37b49df65@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 30 April 2008 16:43, David Robillard wrote:
> > On Wednesday 30 April 2008 11:00, O. Hartmann wrote:
>
> [ --- 8< --- SNIP! --- 8< --- ]
>
> > It's true that an object can only belong to one structural class
> > (although it can belong to many auxiliary classes).
> >
> > I use the auxiliary class extensibleObject, which allows you to add any
> > attribute to an LDAP object. My user accounts have three object classes:
> > inetOrgPerson (the structural class), posixAccount and extensibleObject.
> > The rules for the first two are still enforced, but I am able to add the
> > Host: attribute.
> >
> > Jonathan
>
> That sounds very interesting Jonathan. Could you please share with us
> the complete LDIF data used to create such a user?
This is live from my LDAP server:
# jfm, group, hst.org.za
dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za
objectClass: posixGroup
gidNumber: 1001
cn: jfm
# jfm, people, hst.org.za
dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: extensibleObject
sn: McKeown
cn: Jonathan McKeown
uidNumber: 1001
gidNumber: 1001
mail: jonathan@hst.org.za
loginShell: /usr/local/bin/bash
host: charlotte.hst.org.za
host: clare.hst.org.za
uid: jfm
homeDirectory: /home/jfm
There is, of course, also a userPassword attribute in the user account. (You
didn't expect me to show you that, did you?!)
Using posixGroup, the attribute for adding additional members to a group is
memberUid.
There's a bit more to getting this all working: configuring slapd.conf with
appropriate schemas, installing and configuring pam_ldap and nss_ldap, and
setting up PAM correctly. I can go into excruciating detail if you like...
My only irritation is that although passwd(1) in 6.3 has the code within it to
allow it to be controlled by PAM, it's all currently diked out, so that you
can't use passwd(1) transparently with LDAP users. (As far as I know this
hasn't changed in 7.0).
inetOrgPerson gives you a huge number of optional fields for other
information, up to and including a JPEG photo. It inherits from
organizationalPerson which inherits from person, so you need to combine all
three sets of attributes to get the complete spec for inetOrgPerson (note the
only MUST attributes are sn and cn from person):
NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY ( audio $ businessCategory $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledURI $ mail $ manager $ mobile $ o $ pager $
photo $ roomNumber $ secretary $ uid $ userCertificate $
x500uniqueIdentifier $ preferredLanguage $
userSMIMECertificate $ userPKCS12 )
NAME 'organizationalPerson'
DESC 'RFC2256: an organizational person'
SUP person
STRUCTURAL
MAY ( title $ x121Address $ registeredAddress $
destinationIndicator $
preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l )
NAME 'person'
DESC 'RFC2256: a person'
SUP top STRUCTURAL
MUST ( sn $ cn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description )
We're hardly using any of these, but it seemed to make more sense to build it
in, in case.
Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804302352.01337.jonathan%2Bfreebsd-questions>