Re: Account Login / schema question

[Peter Marschall <peter@adpm.de>]

Hi,

On Friday 30 May 2003 16:42, Tibbetts, Ric wrote:
> I have a new server. All seems pretty good with it.
> But, when I add accounts... Depending on how I add them, they may, or
> may not allow logins.
>
> For example, if I create an account from the following ldif:
>
> dn: uid=<user>,ou=People,dc=ldap-test,dc=com
> givenName: bob
> sn: <user>
> objectClass: top
> objectClass: posixAccount
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> uid: gulkebo
> cn: gulker, bob
> mail: xxxxxxxx@mail.northgrum.com
> userPassword: {CRYPT}fHmEOE4NOjwNw
> uidNumber: xxxxxx
> gidNumber: 14
> homeDirectory: /home/xxxxxxx
> loginShell: /bin/csh
> gecos: Users Name
>
> (sensative info crossed out)
>
> The user created from that ldif will not be able to log in.
>
> However, if I creat a user from the following ldif, he CAN log in:
>
> dn: uid=<user>,ou=People,dc=ldap-test,dc=com
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> uid: <user>
> cn: <user>
> userPassword: {CRYPT}2Qj0TPuTG5y2I
> uidNumber: 122206
> gidNumber: 14
> homeDirectory: /home/<user>
> loginShell: /bin/csh
> gecos: <user>
>
>
> NOTE: The (primary) difference is the use of "account", and not using
> inetOrgPerson, and organizationalPerson objectClasses.

To me the question seems related to PADL's pam_ldap.

Do you by chance have
  pam_filter             objectclass=account
in your /etc/ldap.conf ?
That might explain why you need the account objectclass.

> If I mix account, and inetOrgPerson, I get an error. But if I don't
> include account, the user cannot log in.

I assume the error you get is about having not exacly one structural object
class chain.
You can solve it by creating you own objectclass that inherits from 
inetOrgPerson and account. See the list archive for how to accomplish this.

Peter

-- 
Peter Marschall
eMail: peter@adpm.de