Date: Thu, 1 May 2008 11:49:15 -0400 From: "David Robillard" <david.robillard@gmail.com> To: "FreeBSD Questions" <freebsd-questions@freebsd.org> Cc: Edward Capriolo <edlinuxguru@gmail.com>, Jonathan McKeown <jonathan+freebsd-questions@hst.org.za> Subject: Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account? Message-ID: <226ae0c60805010849j796f682cjea77773ca7aa3049@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
> On Wednesday 30 April 2008 16:43, David Robillard wrote:
> > > On Wednesday 30 April 2008 11:00, O. Hartmann wrote:
> >
> > [ --- 8< --- SNIP! --- 8< --- ]
> >
> > That sounds very interesting Jonathan. Could you please share with us
> > the complete LDIF data used to create such a user?
>
> This is live from my LDAP server:
>
> # jfm, group, hst.org.za
> dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za
> objectClass: posixGroup
> gidNumber: 1001
> cn: jfm
>
> # jfm, people, hst.org.za
> dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: extensibleObject
> sn: McKeown
> cn: Jonathan McKeown
> uidNumber: 1001
> gidNumber: 1001
> mail: jonathan@hst.org.za
> loginShell: /usr/local/bin/bash
> host: charlotte.hst.org.za
> host: clare.hst.org.za
> uid: jfm
> homeDirectory: /home/jfm
>
> There is, of course, also a userPassword attribute in the user account. (You
> didn't expect me to show you that, did you?!)
lol Well, if it's in {SSHA} format and you change a few digits here
and there, that's not a security issue :)
> Using posixGroup, the attribute for adding additional members to a group is memberUid.
>
> There's a bit more to getting this all working: configuring slapd.conf with
> appropriate schemas, installing and configuring pam_ldap and nss_ldap, and
> setting up PAM correctly. I can go into excruciating detail if you like...
Well, I'd certainly love to see how you've set things up. We could
compare with what I've published on my wiki. The documentation is not
finished, but it's a start. I'd really appreciate if people could
check it out and tell me where the document could be enhanced, if I
made any mistakes, things like that. Check it out here:
http://wiki.zerocatastrophe.com/wiki/UNIX/FreeBSD/Kerberos+OpenLDAP
Notice that I've updated my documentation to reflect your LDIF data as
I believe it to be the very flexible. Thanks!
I know that Edward Capriolo (in Cc: to this email) has also published
some Kerberos & OpenLDAP documentations online. Edward, care to join
us here?
> My only irritation is that although passwd(1) in 6.3 has the code within it to
> allow it to be controlled by PAM, it's all currently diked out, so that you
> can't use passwd(1) transparently with LDAP users. (As far as I know this
> hasn't changed in 7.0).
Indeed, that's also a problem I have. How do you go about to solve this?
> inetOrgPerson gives you a huge number of optional fields for other
> information, up to and including a JPEG photo. It inherits from
> organizationalPerson which inherits from person, so you need to combine all
> three sets of attributes to get the complete spec for inetOrgPerson (note the
> only MUST attributes are sn and cn from person):
>
> [ --- 8< --- SNIP! --- 8< --- ]
>
> We're hardly using any of these, but it seemed to make more sense to build it
> in, in case.
You're right, I totally agree.
> Jonathan
Cheers!
DA+
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?226ae0c60805010849j796f682cjea77773ca7aa3049>