[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Structural Object Classes

ldap skrev, on 18-10-2007 18:00:

We currently run a ldap server to authenticate our systems. It uses
openldap 2.0.27-23 on redhat 3 or earlier. We recently tried to to
upgrade the servers to Redhat 4 which uses openldap 2.2.13-7. We were
unable to get it to function with the exact setup, configs and database
we used in the earlier versions. As I understand it, strict checking
was enforced in the later version of openldap and was not in the
previous versions. The entries in the ldap directory have the following
object classes: top, person, organizationalperson, inetorgperson,
posixaccount, shadowaccount, account. Person and Account
are both structural classes. I could be off base, but I thought that
only one structural class is allowed and since this wasn't enforced in
earlier versions it worked. Now since it is enforced it may be at least
one of the issues. The main reason the account object class is used is
for the host attribute which we use with the ldap.conf
"pam_check_host_attr" directive to limit who can log into certain
machines. If my assumptions above are correct, are there any
suggestions on how to upgrade to the newer version of openldap and get
around the above issues?

In addition to what Quanah says about using an up to date release and avoiding Red Hat offerings like the plague, you can use the ldapns.schema for providing the host attribute; the objectClass hostObject that provides the host attribute is auxiliary. This schema is provided in Buchan Milnes' rpm set which you should use instead of Red Hat's.


-- Tony Earnshaw Email: tonni at hetnet dot nl