I'm using samba-openldap on Ubuntu 9.10 Server. I have created following user:rick using smbldap-tools which use default samba.schema.eg shown below. Now I also want to use "Host based authentication" using pam_filter where I need to mention host entry which has to be present in that user record.
pam_filter |(host=cms2)(host=cms3)
However "host" attribute appears only if I add "objectclass:account". If I go ahead to add that here for user:rick it gives me objectclass violation. What could be the way out of it? Any inputs would be highly appreciated
cn: rick objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount sn: rick givenName: rick uid: rick uidNumber: 30003 gidNumber: 513 homeDirectory: /home/rick loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: rick sambaAcctFlags: [UX] sambaSID: S-1-5-21-1045966857-3925637060-4258372004-61006 sambaPrimaryGroupSID: S-1-5-21-1045966857-3925637060-4258372004-513 sambaLogonScript: logon.bat sambaProfilePath: \x6\profiles\rick sambaHomePath: \x6\rick sambaHomeDrive: H: sambaLMPassword: 01FC5A6BE7BC6929AAD3B435B51404EE sambaNTPassword: 0CB6948805F797BF2A82807973B89537 sambaPwdLastSet: 1271227877 userPassword: test
Thanks Shamika
On Wednesday, 14 April 2010 09:58:45 Shamika Joshi wrote:
I'm using samba-openldap on Ubuntu 9.10 Server. I have created following user:rick using smbldap-tools which use default samba.schema.eg shown below. Now I also want to use "Host based authentication" using pam_filter where I need to mention host entry which has to be present in that user record.
pam_filter |(host=cms2)(host=cms3)
However "host" attribute appears only if I add "objectclass:account". If I go ahead to add that here for user:rick it gives me objectclass violation. What could be the way out of it? Any inputs would be highly appreciated
Use hostObject objectclass from ldapns.schema, shipped with pam_ldap source.
Regards, Buchan
i'm sorry, but I'm beginner with openldap, dont have much knowldge about how to use schemas here... could you please explain in brief how to do that?
On Wed, Apr 14, 2010 at 3:50 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Wednesday, 14 April 2010 09:58:45 Shamika Joshi wrote:
I'm using samba-openldap on Ubuntu 9.10 Server. I have created following user:rick using smbldap-tools which use default samba.schema.eg shown below. Now I also want to use "Host based authentication" using
pam_filter
where I need to mention host entry which has to be present in that user record.
pam_filter |(host=cms2)(host=cms3)
However "host" attribute appears only if I add "objectclass:account". If
I
go ahead to add that here for user:rick it gives me objectclass
violation.
What could be the way out of it? Any inputs would be highly appreciated
Use hostObject objectclass from ldapns.schema, shipped with pam_ldap source.
Regards, Buchan
On Wednesday, 14 April 2010 11:22:32 Shamika Joshi wrote:
i'm sorry, but I'm beginner with openldap, dont have much knowldge about how to use schemas here... could you please explain in brief how to do that?
On Wed, Apr 14, 2010 at 3:50 PM, Buchan Milne
bgmilne@staff.telkomsa.netwrote:
On Wednesday, 14 April 2010 09:58:45 Shamika Joshi wrote:
I'm using samba-openldap on Ubuntu 9.10 Server. I have created following user:rick using smbldap-tools which use default samba.schema.eg shown below. Now I also want to use "Host based authentication" using
pam_filter
where I need to mention host entry which has to be present in that user record.
pam_filter |(host=cms2)(host=cms3)
However "host" attribute appears only if I add "objectclass:account". If
I
go ahead to add that here for user:rick it gives me objectclass
violation.
What could be the way out of it? Any inputs would be highly appreciated
Use hostObject objectclass from ldapns.schema, shipped with pam_ldap source.
Well, you should have noted you were using back-config ...
Seems you have already created a custom schema, but I have converted the majority of useful extra schemas for OpenLDAP to LDIF format for Mandriva, you can find them here:
http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/openldap-extra- schemas/current/SOURCES/
So, to get the original ldapns schema, you could now download
http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/openldap-extra- schemas/current/SOURCES/ldapns.ldif?revision=535500&view=co
and run ldapadd -x -D cn=admin,cn=config -W -f ldapns.ldif
Regards, Buchan
Shamika Joshi shamika.joshi@gmail.com writes:
I'm using samba-openldap on Ubuntu 9.10 Server. I have created following user:rick using smbldap-tools which use default samba.schema.eg shown below. Now I also want to use "Host based authentication" using pam_filter where I need to mention host entry which has to be present in that user record.
pam_filter |(host=cms2)(host=cms3)
However "host" attribute appears only if I add "objectclass:account". If I go ahead to add that here for user:rick it gives me objectclass violation. What could be the way out of it? Any inputs would be highly appreciated
[...] You either create your own auxiliary object class with attribute type host, or add objectclass extensibleObject with host attribute type. If you use extensibleObject be warned, this allows to add any attribute type.
-Dieter
On Wed, 2010-04-14 at 14:28 +0530, Shamika Joshi wrote:
I'm using samba-openldap on Ubuntu 9.10 Server. I have created following user:rick using smbldap-tools which use default samba.schema.eg shown below. Now I also want to use "Host based authentication" using pam_filter where I need to mention host entry which has to be present in that user record. pam_filter |(host=cms2)(host=cms3) However "host" attribute appears only if I add "objectclass:account". If I go ahead to add that here for user:rick it gives me objectclass violation. What could be the way out of it? Any inputs would be highly appreciated
You are violating the structural objectclass chain.
cn: rick objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount
You 'deepest' structural objectclass is an inetOrgPerson; a person is not an account. [Yea, that part is pretty dumb - account should be abstract.] posixAccount, sambaSamAccount, and shadowAccount are all abstract classes. For some [historical?] reason account is a structural objectclass. So to have an inetOrgPerson that is also an account you need to have an objectclass that seals the breach in the structural objectclass chain.
We use:
objectclass ( 1.3.6.1.4.1.6921.1.12 NAME 'mHybridPerson' DESC 'Combine several objectclasses to support multiple MUAs' SUP ( inetOrgPerson $ officePerson $ evolutionPerson ) STRUCTURAL )
objectclass ( 1.3.6.1.4.1.6921.1.24 NAME 'mHybridUserAccount' DESC 'Combine mHybridPerson and account' SUP ( mHybridPerson $ account ) STRUCTURAL )
Or you can find, or define, an abstract objectclass that permits/requires the host attribute. [Although isn't it more elegant to use groups anyway?]
I tried adding my own auxiliary objectclass as below but I get this error, I'm definately not doing it right. apologies for the lack of schema knowledge, could you please correct me?
sudo ldapmodify -x -D cn=admin,cn=config -W -f hostobject.ldif Enter LDAP Password: modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcObjectClasses' not allowed
hostobject.ldif: dn: olcDatabase={0}config,cn=config changetype: modify add: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.6921.1.24 NAME 'hostobj'DESC 'Combine Samba and account' SUP top MUST $ account AUXILIARY )
On Wed, Apr 14, 2010 at 3:52 PM, Adam Tauno Williams < awilliam@opengroupware.us> wrote:
On Wed, 2010-04-14 at 14:28 +0530, Shamika Joshi wrote:
I'm using samba-openldap on Ubuntu 9.10 Server. I have created following user:rick using smbldap-tools which use default samba.schema.eg shown below. Now I also want to use "Host based authentication" using pam_filter where I need to mention host entry which has to be present in that user record. pam_filter |(host=cms2)(host=cms3) However "host" attribute appears only if I add "objectclass:account". If I go ahead to add that here for user:rick it gives me objectclass violation. What could be the way out of it? Any inputs would be highly appreciated
You are violating the structural objectclass chain.
cn: rick objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount
You 'deepest' structural objectclass is an inetOrgPerson; a person is not an account. [Yea, that part is pretty dumb - account should be abstract.] posixAccount, sambaSamAccount, and shadowAccount are all abstract classes. For some [historical?] reason account is a structural objectclass. So to have an inetOrgPerson that is also an account you need to have an objectclass that seals the breach in the structural objectclass chain.
We use:
objectclass ( 1.3.6.1.4.1.6921.1.12 NAME 'mHybridPerson' DESC 'Combine several objectclasses to support multiple MUAs' SUP ( inetOrgPerson $ officePerson $ evolutionPerson ) STRUCTURAL )
objectclass ( 1.3.6.1.4.1.6921.1.24 NAME 'mHybridUserAccount' DESC 'Combine mHybridPerson and account' SUP ( mHybridPerson $ account ) STRUCTURAL )
Or you can find, or define, an abstract objectclass that permits/requires the host attribute. [Although isn't it more elegant to use groups anyway?]
On Thu, 2010-04-15 at 14:17 +0530, Shamika Joshi wrote:
I tried adding my own auxiliary objectclass as below but I get this error, I'm definately not doing it right. apologies for the lack of schema knowledge, could you please correct me? sudo ldapmodify -x -D cn=admin,cn=config -W -f hostobject.ldif Enter LDAP Password: modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcObjectClasses' not allowed hostobject.ldif: dn: olcDatabase={0}config,cn=config changetype: modify add: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.6921.1.24 NAME 'hostobj'DESC 'Combine Samba and account' SUP top MUST $ account AUXILIARY )
Are you employed by Morrison Industries? If "No" then you cannot define anything in "1.3.6.1.4.1.6921" http://www.alvestrand.no/objectid/1.3.6.1.4.1.6921.html. You don't just 'make up' OIDs. Either use an existing schema object or apply for a [free] OID for your own use. http://pen.iana.org/pen/PenApplication.page
We use: objectclass ( 1.3.6.1.4.1.6921.1.12 NAME 'mHybridPerson' DESC 'Combine several objectclasses to support multiple MUAs' SUP ( inetOrgPerson $ officePerson $ evolutionPerson ) STRUCTURAL ) objectclass ( 1.3.6.1.4.1.6921.1.24 NAME 'mHybridUserAccount' DESC 'Combine mHybridPerson and account' SUP ( mHybridPerson $ account ) STRUCTURAL ) Or you can find, or define, an abstract objectclass that permits/requires the host attribute. [Although isn't it more elegant to use groups anyway?]
My sincere apologies... I'm a newbee in this area & I was unware of this fact regarding OIDs. Thank you for the information. I will make the appropriate change. Would you help me correct the syntax of ldif file that I'm using for adding this objectclass ?
On Thu, Apr 15, 2010 at 3:56 PM, Adam Tauno Williams < awilliam@opengroupware.us> wrote:
On Thu, 2010-04-15 at 14:17 +0530, Shamika Joshi wrote:
I tried adding my own auxiliary objectclass as below but I get this error, I'm definately not doing it right. apologies for the lack of schema knowledge, could you please correct me? sudo ldapmodify -x -D cn=admin,cn=config -W -f hostobject.ldif Enter LDAP Password: modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcObjectClasses' not allowed hostobject.ldif: dn: olcDatabase={0}config,cn=config changetype: modify add: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.6921.1.24 NAME 'hostobj'DESC 'Combine Samba and account' SUP top MUST $ account AUXILIARY )
Are you employed by Morrison Industries? If "No" then you cannot define anything in "1.3.6.1.4.1.6921" http://www.alvestrand.no/objectid/1.3.6.1.4.1.6921.html. You don't just 'make up' OIDs. Either use an existing schema object or apply for a [free] OID for your own use. http://pen.iana.org/pen/PenApplication.page
We use: objectclass ( 1.3.6.1.4.1.6921.1.12 NAME 'mHybridPerson' DESC 'Combine several objectclasses to support multiple MUAs' SUP ( inetOrgPerson $ officePerson $ evolutionPerson ) STRUCTURAL ) objectclass ( 1.3.6.1.4.1.6921.1.24 NAME 'mHybridUserAccount' DESC 'Combine mHybridPerson and account' SUP ( mHybridPerson $ account ) STRUCTURAL ) Or you can find, or define, an abstract objectclass that permits/requires the host attribute. [Although isn't it more elegant to use groups anyway?]
On 04/15/10 12:26, Adam Tauno Williams wrote:
On Thu, 2010-04-15 at 14:17 +0530, Shamika Joshi wrote:
I tried adding my own auxiliary objectclass as below but I get this error, I'm definately not doing it right. apologies for the lack of schema knowledge, could you please correct me? sudo ldapmodify -x -D cn=admin,cn=config -W -f hostobject.ldif Enter LDAP Password: modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcObjectClasses' not allowed hostobject.ldif: dn: olcDatabase={0}config,cn=config changetype: modify add: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.6921.1.24 NAME 'hostobj'DESC 'Combine Samba and account' SUP top MUST $ account AUXILIARY )
Are you employed by Morrison Industries? If "No" then you cannot define anything in "1.3.6.1.4.1.6921" http://www.alvestrand.no/objectid/1.3.6.1.4.1.6921.html. You don't just 'make up' OIDs. Either use an existing schema object or apply for a [free] OID for your own use. http://pen.iana.org/pen/PenApplication.page
That's not actually 100% correct, because you can. However, there is going to be collision (if his OID hasn't collided already with some pre-defined schema) if you are going/plan to use your directory with other organizations. It's same with IP addresses. You can use whatever [IP] you want. It only depends how far will you get. So please, don't say "can not" if you actually "can". Yes, it doesn't make it right, yet it is possible - yes, we can.
Regards, Zdenek
On Thu, 2010-04-15 at 13:01 +0200, Zdenek Styblik wrote:
That's not actually 100% correct, because you can. However, there is going to be collision (if his OID hasn't collided already with some pre-defined schema) if you are going/plan to use your directory with other organizations. It's same with IP addresses. You can use whatever [IP] you want. It only depends how far will you get. So please, don't say "can not" if you actually "can". Yes, it doesn't make it right, yet it is possible - yes, we can.
Seriously? Your distinction is completely silly; "can " and "can not" applies to social conventions and practices in normal language. Fine - you want "don't" OK. I "can" set fire to buildings, and if someone said "you can't do that" *everyone* would know *exactly* what they meant. Please.
On 04/15/10 14:34, Adam Tauno Williams wrote:
On Thu, 2010-04-15 at 13:01 +0200, Zdenek Styblik wrote:
That's not actually 100% correct, because you can. However, there is going to be collision (if his OID hasn't collided already with some pre-defined schema) if you are going/plan to use your directory with other organizations. It's same with IP addresses. You can use whatever [IP] you want. It only depends how far will you get. So please, don't say "can not" if you actually "can". Yes, it doesn't make it right, yet it is possible - yes, we can.
I see you got offended. Oh well.
Seriously? Your distinction is completely silly; "can " and "can not" applies to social conventions and practices in normal language. Fine -
Is it?
OpenLDAP admin guide 2.4 ('http://www.openldap.org/doc/admin24/schema.html#Extending Schema') --- SNIP --- Under no circumstances *should* you hijack OID namespace! --- SNIP ---
RFC 2119 ('http://www.faqs.org/rfcs/rfc2119.html') --- SNIP --- 3. *SHOULD* This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. --- SNIP ---
Yeah, I fully understood that I want to keep my OpenLDAP directory closed before the rest of the world, and I fully understood that I'm not going wait nor ask IANA for OID just because I want to try something. And yet I haven't denied this [in the meaning of valid reason] for one time, or did I? Because there is valid reason I've pointed out before and again.
you want "don't" OK. I "can" set fire to buildings, and if someone said "you can't do that" *everyone* would know *exactly* what they meant.
That is - ehm - somewhat incorrect comparison. But hey, you obviously don't want to let it go, do you? IANA, RIPE (or ARIN for .US), etc. are no gods nor dictators and whatever. Within private network one can do what he wants. Purpose for these organizations is to assure/ease interoperability between subjects (probably a small look into history?). Comparison to burning buildings, killing people, stealing or whatever is somewhat - out of the planet, sorry.
Please.
And btw I know you meant well, so I don't understand why you have twisted over it.
Just relax, Zdenek
On Thu, 2010-04-15 at 14:17 +0530, Shamika Joshi wrote:
I tried adding my own auxiliary objectclass as below but I get this error, I'm definately not doing it right. apologies for the lack of schema knowledge, could you please correct me? sudo ldapmodify -x -D cn=admin,cn=config -W -f hostobject.ldif Enter LDAP Password: modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcObjectClasses' not allowed hostobject.ldif: dn: olcDatabase={0}config,cn=config changetype: modify add: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.6921.1.24 NAME 'hostobj'DESC 'Combine Samba and account' SUP top MUST $ account AUXILIARY )
I think you want to create an object that looks more like
dn: cn=mySchemaName,cn=schema,cn=config objectClass: olcSchemaConfig cn: mySchemaName olcObjectClasses: ( YOUR-OWN-BLOODY-OID NAME 'hostobj' DESC 'Combine Samba and account' SUP top MUST $ account AUXILIARY )
And just ldapadd that.
Great it worked! Thanks alot Adam!
sudo ldapadd -x -W -c -D "cn=admin,cn=config" -f hostobject.ldif
regards, Shamika
On Thu, Apr 15, 2010 at 4:09 PM, Adam Tauno Williams < awilliam@opengroupware.us> wrote:
On Thu, 2010-04-15 at 14:17 +0530, Shamika Joshi wrote:
I tried adding my own auxiliary objectclass as below but I get this error, I'm definately not doing it right. apologies for the lack of schema knowledge, could you please correct me? sudo ldapmodify -x -D cn=admin,cn=config -W -f hostobject.ldif Enter LDAP Password: modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcObjectClasses' not allowed hostobject.ldif: dn: olcDatabase={0}config,cn=config changetype: modify add: olcObjectClasses olcObjectClasses: ( 1.3.6.1.4.1.6921.1.24 NAME 'hostobj'DESC 'Combine Samba and account' SUP top MUST $ account AUXILIARY )
I think you want to create an object that looks more like
dn: cn=mySchemaName,cn=schema,cn=config objectClass: olcSchemaConfig cn: mySchemaName olcObjectClasses: ( YOUR-OWN-BLOODY-OID NAME 'hostobj' DESC 'Combine Samba and account' SUP top MUST $ account AUXILIARY )
And just ldapadd that.
On Thursday, 15 April 2010 12:11:02 Shamika Joshi wrote:
Great it worked! Thanks alot Adam!
sudo ldapadd -x -W -c -D "cn=admin,cn=config" -f hostobject.ldif
Why didn't you use the ldapns.schema that is provided by pam_ldap, using correct OIDs and everything?
I guess because Ubuntu, while shipping with cn=config, doesn't document how to convert .schema format schemas to ldif format? That's no reason to use random schemas, when appropriate ones already exist.
I have attached a version in ldif.
Regards, Buchan
ooh thanks I would definitely go for this for actual implementation in my lab! thanks much Buchan.
On Fri, Apr 16, 2010 at 2:43 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Thursday, 15 April 2010 12:11:02 Shamika Joshi wrote:
Great it worked! Thanks alot Adam!
sudo ldapadd -x -W -c -D "cn=admin,cn=config" -f hostobject.ldif
Why didn't you use the ldapns.schema that is provided by pam_ldap, using correct OIDs and everything?
I guess because Ubuntu, while shipping with cn=config, doesn't document how to convert .schema format schemas to ldif format? That's no reason to use random schemas, when appropriate ones already exist.
I have attached a version in ldif.
Regards, Buchan
Buchan Milne wrote:
On Thursday, 15 April 2010 12:11:02 Shamika Joshi wrote:
Great it worked! Thanks alot Adam!
sudo ldapadd -x -W -c -D "cn=admin,cn=config" -f hostobject.ldif
Why didn't you use the ldapns.schema that is provided by pam_ldap, using correct OIDs and everything?
I guess because Ubuntu, while shipping with cn=config, doesn't document how to convert .schema format schemas to ldif format? That's no reason to use random schemas, when appropriate ones already exist.
Actually, they do document it:
https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html
And I helped them write it...
On Wednesday, 14 April 2010 11:22:35 Adam Tauno Williams wrote:
On Wed, 2010-04-14 at 14:28 +0530, Shamika Joshi wrote:
I'm using samba-openldap on Ubuntu 9.10 Server. I have created following user:rick using smbldap-tools which use default samba.schema.eg shown below. Now I also want to use "Host based authentication" using pam_filter where I need to mention host entry which has to be present in that user record. pam_filter |(host=cms2)(host=cms3) However "host" attribute appears only if I add "objectclass:account". If I go ahead to add that here for user:rick it gives me objectclass violation. What could be the way out of it? Any inputs would be highly appreciated
You are violating the structural objectclass chain.
cn: rick objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount
You 'deepest' structural objectclass is an inetOrgPerson; a person is not an account. [Yea, that part is pretty dumb - account should be abstract.]
No, it should be auxiliary, which it is in ldapns.schema, shipped with pam_ldap. The rest of this suggestion is a ridiculously complex solution to the problem, considering the user has problems adding an existing schema definition ...
Regards, Buchan
openldap-technical@openldap.org
-
Adam Tauno Williams -
Buchan Milne -
Dieter Kluenter -
Howard Chu -
Shamika Joshi -
Zdenek Styblik