[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Adding Objectclass account gives object class violation

On Wed, 2010-04-14 at 14:28 +0530, Shamika Joshi wrote:
> I'm using samba-openldap on Ubuntu 9.10 Server. I have created
> following user:rick using smbldap-tools which use default
> samba.schema.eg shown below.
> Now I also want to use "Host based authentication" using pam_filter
> where I need to mention host entry which has to be present in that
> user record. 
> pam_filter |(host=cms2)(host=cms3)
> However "host" attribute appears only if I add "objectclass:account".
> If I go ahead to add that here for user:rick it gives me objectclass
> violation. What could be the way out of it? Any inputs would be highly
> appreciated

You are violating the structural objectclass chain.

> cn: rick
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount

You 'deepest' structural objectclass is an inetOrgPerson;  a person is
not an account.  [Yea, that part is pretty dumb - account should be
abstract.]  posixAccount, sambaSamAccount, and shadowAccount are all
abstract classes.  For some [historical?] reason account is a structural
objectclass.   So to have an inetOrgPerson that is also an account you
need to have an objectclass that seals the breach in the structural
objectclass chain.

We use:

 objectclass (
 NAME 'mHybridPerson'
 DESC 'Combine several objectclasses to support multiple MUAs'
 SUP ( inetOrgPerson $ officePerson $ evolutionPerson )

 objectclass (
 NAME 'mHybridUserAccount'
 DESC 'Combine mHybridPerson and account'
 SUP ( mHybridPerson $ account )

Or you can find, or define, an abstract objectclass that
permits/requires the host attribute.  [Although isn't it more elegant to
use groups anyway?]