Re: [Cooker] - Openldap 2.1.20

Sun, 01 Jun 2003 06:52:46 -0700 

> [EMAIL PROTECTED] wrote:
>
>>>On Fri, 30 May 2003 20:24:12 +0200, bgmiln wrote:
>>>
>>>
>>>>BTW, I will investigate the auxiliary objectclass account
>>>>
>>>>
>>>Are you referring to the message Luke Howard sent to OpenIT's Core-Dev
>>> list that I referred to in the other openldap 2.1 thread?
>>>
>>>
>
>    I discovered that if you modify the following in
> /usr/share/openldap/schema/cosine.schema, it will allow the proper
> import of the objectclass: account (unsure of all the ramifications
> though)

Apparently, ramifications are RFC violation ...

> , and I still have the password update issue (users can not
> change, and su only updates passwords in ldap, not on system).
>
> Originally:
> objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account'
>         SUP top  STRUCTURAL
>         MUST userid
>         MAY ( description $ seeAlso $ localityName $
>                 organizationName $ organizationalUnitName $ host )
>         )
>
>
> New:
> objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account'
>         SUP top AUXILIARY
>         MUST userid
>         MAY ( description $ seeAlso $ localityName $
>                 organizationName $ organizationalUnitName $ host )
>         )
>

The schema in the latest pam_ldap provides the host attribute, but does
not use the account objectclass:

# $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $

# LDAP Name Service Additional Schema

# http://www.iana.org/assignments/gssapi-service-names

attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
        DESC 'IANA GSS-API authorized service name'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
        DESC 'Auxiliary object class for adding authorizedService attribute'
        SUP top
        AUXILIARY
        MAY authorizedService )

objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
        DESC 'Auxiliary object class for adding host attribute'
        SUP top
        AUXILIARY
        MAY host )


Thus, not an additional structural objectclass (as the old account
objectclass was). So, we will still have to remove the account
objectclass, but need not remove the host attributes, instead we must
ensure that the schema is available on a server after upgrade. Hopefully
libconf will be able to help here ...

For adding objectclasses for entries that have no structural objectclass,
we'll need to do some more work ...

Buchan

Regards,
Buchan

Reply via email to