[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Host based authentication using OpenLDAP
Hi
I follow your conversation because I have to do the same thing, so I would like to add hosts in my openldap but I don't succeed
My add.ldif
dn: cn=hostlab,ou=hosts,dc=netplus,dc=fr
objectClass: top
objectClass: authorizedServiceObject
objectClass: ipHost
cn: hostlab
ipHostNumber: 192.168.45.69
authorizedService: sshd
authorizedService: ftp
my command
# ldapadd -x -D "cn=manager,dc=netplus,dc=fr" -w **** -f add.ldif
adding new entry "cn=hostlab,ou=hosts,dc=netplus,dc=fr"
ldapadd: Object class violation (65)
additional info: no structural object class provided
What is the problem ? in my phpldapadmin I have this message:
Importation au format LDIF
Impossible d'ajouter un objet : cn=hostlab,ou=hosts,dc=netplus,dc=fr
LDAP dit :: LDAP_OBJECT_CLASS_VIOLATION
You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.
Maybe I had to post in a new message, sorry if I'm wrong.
Regards,
François
-----Message d'origine-----
De : openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org [mailto:openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org] De la part de Howard Chu
Envoyé : vendredi 22 mai 2009 15:49
À : John Kane
Cc : openldap-technical@openldap.org
Objet : Re: Host based authentication using OpenLDAP
Howard Chu wrote:
> Howard Chu wrote:
>> John Kane wrote:
>>> Sorry to jump in the middle of this thread, but the nssov overlay sounds
>> very useful, something I would like to take advantage of, but I cannot seem to
>> find any documentation on it. How long has this been available (what release),
>> and where might I find more info?
>>
>> It has not been released yet.
>
> Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but
> it only had NSS support. The PAM support is currently only in CVS.
>
>> You can check out the current code from CVS in
>> contrib/slapd-modules/nssov. You can browse it online here:
>>
>> http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
>>
>> The README and slapo-nssov.5 manpage will give you a better idea of what it does.
>
And fyi, here's an example... For a given host:
dn: cn=hostX,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: authorizedServiceObject
cn: hostX
ipHostNumber: 192.168.1.127
authorizedService: sshd
authorizedService: ftp
you use the authorizedService attribute to list the PAM services that are
available. Then you set ACLs to control who can access each service, like so:
access to dn.subtree=ou=hosts,dc=example,dc=com
attrs=authorizedService val.exact=sshd
by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
by peername.ip=192.168.2.0%255.255.255.0 read
by * search
The overlay performs a Compare operation to check for the required service, so
if you deny Compare access to a particular service, then users aren't allowed
to use that service.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/