[Date Prev][Date Next]
Re: Host based authentication using OpenLDAP
François Mehault wrote:
I follow your conversation because I have to do the same thing, so I would like to add hosts in my openldap but I don't succeed
# ldapadd -x -D "cn=manager,dc=netplus,dc=fr" -w **** -f add.ldif
adding new entry "cn=hostlab,ou=hosts,dc=netplus,dc=fr"
ldapadd: Object class violation (65)
additional info: no structural object class provided
What is the problem ? in my phpldapadmin I have this message:
Both ipHost and authorizedServiceObject are auxiliary classes, you still need
to provide a structural class. "device" is good enough for this purpose...
Importation au format LDIF
Impossible d'ajouter un objet : cn=hostlab,ou=hosts,dc=netplus,dc=fr
LDAP dit :: LDAP_OBJECT_CLASS_VIOLATION
You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.
Maybe I had to post in a new message, sorry if I'm wrong.
De : openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org [mailto:openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org] De la part de Howard Chu
Envoyé : vendredi 22 mai 2009 15:49
À : John Kane
Cc : firstname.lastname@example.org
Objet : Re: Host based authentication using OpenLDAP
Howard Chu wrote:
Howard Chu wrote:
John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to
find any documentation on it. How long has this been available (what release),
and where might I find more info?
It has not been released yet.
Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but
it only had NSS support. The PAM support is currently only in CVS.
You can check out the current code from CVS in
contrib/slapd-modules/nssov. You can browse it online here:
The README and slapo-nssov.5 manpage will give you a better idea of what it does.
And fyi, here's an example... For a given host:
you use the authorizedService attribute to list the PAM services that are
available. Then you set ACLs to control who can access each service, like so:
access to dn.subtree=ou=hosts,dc=example,dc=com
by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
by peername.ip=192.168.2.0%255.255.255.0 read
by * search
The overlay performs a Compare operation to check for the required service, so
if you deny Compare access to a particular service, then users aren't allowed
to use that service.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/