François Mehault wrote:
Hi
I follow your conversation because I have to do the same thing, so I would like to add hosts in my openldap but I don't succeed
My add.ldif
dn: cn=hostlab,ou=hosts,dc=netplus,dc=fr objectClass: top objectClass: authorizedServiceObject objectClass: ipHost cn: hostlab ipHostNumber: 192.168.45.69 authorizedService: sshd authorizedService: ftp
my command
# ldapadd -x -D "cn=manager,dc=netplus,dc=fr" -w **** -f add.ldif adding new entry "cn=hostlab,ou=hosts,dc=netplus,dc=fr" ldapadd: Object class violation (65) additional info: no structural object class provided
What is the problem ? in my phpldapadmin I have this message:
Both ipHost and authorizedServiceObject are auxiliary classes, you still need to provide a structural class. "device" is good enough for this purpose...
Importation au format LDIF Impossible d'ajouter un objet : cn=hostlab,ou=hosts,dc=netplus,dc=fr LDAP dit :: LDAP_OBJECT_CLASS_VIOLATION You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.
Maybe I had to post in a new message, sorry if I'm wrong.
Regards,
François
-----Message d'origine----- De : openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org [mailto:openldap-technical-bounces+francois.mehault=netplus.fr@OpenLDAP.org] De la part de Howard Chu Envoyé : vendredi 22 mai 2009 15:49 À : John Kane Cc : openldap-technical@openldap.org Objet : Re: Host based authentication using OpenLDAP
Howard Chu wrote:
Howard Chu wrote:
John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to find any documentation on it. How long has this been available (what release), and where might I find more info?
It has not been released yet.
Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but it only had NSS support. The PAM support is currently only in CVS.
You can check out the current code from CVS in contrib/slapd-modules/nssov. You can browse it online here:
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
The README and slapo-nssov.5 manpage will give you a better idea of what it does.
And fyi, here's an example... For a given host:
dn: cn=hostX,ou=hosts,dc=example,dc=com objectClass: ipHost objectClass: authorizedServiceObject cn: hostX ipHostNumber: 192.168.1.127 authorizedService: sshd authorizedService: ftp
you use the authorizedService attribute to list the PAM services that are available. Then you set ACLs to control who can access each service, like so:
access to dn.subtree=ou=hosts,dc=example,dc=com attrs=authorizedService val.exact=sshd by group.exact="cn=admins,ou=groups,dc=example,dc=com" write by peername.ip=192.168.2.0%255.255.255.0 read by * search
The overlay performs a Compare operation to check for the required service, so if you deny Compare access to a particular service, then users aren't allowed to use that service.