[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Host based authentication using OpenLDAP

François Mehault wrote:

I follow your conversation because I have to do the same thing, so I would like to add hosts in my openldap but I don't succeed

My add.ldif

dn: cn=hostlab,ou=hosts,dc=netplus,dc=fr
objectClass: top
objectClass: authorizedServiceObject
objectClass: ipHost
cn: hostlab
authorizedService: sshd
authorizedService: ftp

my command

# ldapadd -x -D "cn=manager,dc=netplus,dc=fr" -w **** -f add.ldif
adding new entry "cn=hostlab,ou=hosts,dc=netplus,dc=fr"
ldapadd: Object class violation (65)
         additional info: no structural object class provided

What is the problem ? in my phpldapadmin I have this message:

Both ipHost and authorizedServiceObject are auxiliary classes, you still need to provide a structural class. "device" is good enough for this purpose...

Importation au format LDIF
Impossible d'ajouter un objet : cn=hostlab,ou=hosts,dc=netplus,dc=fr
You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.

Maybe I had to post in a new message, sorry if I'm wrong.



-----Message d'origine-----
De : openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org [mailto:openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org] De la part de Howard Chu
Envoyé : vendredi 22 mai 2009 15:49
À : John Kane
Cc : openldap-technical@openldap.org
Objet : Re: Host based authentication using OpenLDAP

Howard Chu wrote:
Howard Chu wrote:
John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to
find any documentation on it. How long has this been available (what release),
and where might I find more info?

It has not been released yet.

Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but
it only had NSS support. The PAM support is currently only in CVS.

You can check out the current code from CVS in
contrib/slapd-modules/nssov. You can browse it online here:


The README and slapo-nssov.5 manpage will give you a better idea of what it does.

And fyi, here's an example... For a given host:

dn: cn=hostX,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: authorizedServiceObject
cn: hostX
authorizedService: sshd
authorizedService: ftp

you use the authorizedService attribute to list the PAM services that are
available. Then you set ACLs to control who can access each service, like so:

access to dn.subtree=ou=hosts,dc=example,dc=com
    attrs=authorizedService val.exact=sshd
    by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
    by peername.ip= read
    by * search

The overlay performs a Compare operation to check for the required service, so
if you deny Compare access to a particular service, then users aren't allowed
to use that service.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/