[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Host based authentication using OpenLDAP



Hi

I follow your conversation because I have to do the same thing, so I would like to add hosts in my openldap but I don't succeed

My add.ldif

dn: cn=hostlab,ou=hosts,dc=netplus,dc=fr
objectClass: top
objectClass: authorizedServiceObject
objectClass: ipHost
cn: hostlab
ipHostNumber: 192.168.45.69
authorizedService: sshd
authorizedService: ftp

my command

# ldapadd -x -D "cn=manager,dc=netplus,dc=fr" -w **** -f add.ldif
adding new entry "cn=hostlab,ou=hosts,dc=netplus,dc=fr"
ldapadd: Object class violation (65)
        additional info: no structural object class provided

What is the problem ? in my phpldapadmin I have this message:

Importation au format LDIF
Impossible d'ajouter un objet : cn=hostlab,ou=hosts,dc=netplus,dc=fr
LDAP dit :: LDAP_OBJECT_CLASS_VIOLATION
You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.

Maybe I had to post in a new message, sorry if I'm wrong.

Regards,

François



-----Message d'origine-----
De : openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org [mailto:openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org] De la part de Howard Chu
Envoyé : vendredi 22 mai 2009 15:49
À : John Kane
Cc : openldap-technical@openldap.org
Objet : Re: Host based authentication using OpenLDAP

Howard Chu wrote:
> Howard Chu wrote:
>> John Kane wrote:
>>> Sorry to jump in the middle of this thread, but the nssov overlay sounds
>> very useful, something I would like to take advantage of, but I cannot seem to
>> find any documentation on it. How long has this been available (what release),
>> and where might I find more info?
>>
>> It has not been released yet.
>
> Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but
> it only had NSS support. The PAM support is currently only in CVS.
>
>> You can check out the current code from CVS in
>> contrib/slapd-modules/nssov. You can browse it online here:
>>
>> http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
>>
>> The README and slapo-nssov.5 manpage will give you a better idea of what it does.
>
And fyi, here's an example... For a given host:

dn: cn=hostX,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: authorizedServiceObject
cn: hostX
ipHostNumber: 192.168.1.127
authorizedService: sshd
authorizedService: ftp

you use the authorizedService attribute to list the PAM services that are
available. Then you set ACLs to control who can access each service, like so:

access to dn.subtree=ou=hosts,dc=example,dc=com
   attrs=authorizedService val.exact=sshd
   by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
   by peername.ip=192.168.2.0%255.255.255.0 read
   by * search

The overlay performs a Compare operation to check for the required service, so
if you deny Compare access to a particular service, then users aren't allowed
to use that service.

--
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/