Le 08/02/2016 16:44, Chuck Peters a écrit :
I posted a bug report about the issue:
http://tools.lsc-project.org/issues/827
Hello,
thanks for using the mailing list, it's better to discuss on such topics.
http://ltb-project.org/wiki/documentation/self-service-password/0.9/config_questions
Using the Self Service Password package, it appears we can't use the
"Reset by questions" feature because neither of the info or
extensibleObject attributes are available in a standard OpenLDAP
installation. Perhaps I am missing some key bit of info since I am
still learning about LDAP, but I think this issue is at least a
documentation bug because we can't use the feature without customizing
the upstream schema or adding another custom schema.
As noted in the bug report Clément OUDOT said "The 'info' attribute is
defined in cosine schema".
I just checked the upsteam OpenLDAP source openldap-2.4.44...
Snippets of the cosine schema:
# 9.3.4. Information
#
# The Information attribute type specifies any general information
# pertinent to an object. It is recommended that specific usage of
# this attribute type is avoided, and that specific requirements are
# met by other (possibly additional) attribute types.
#
# info ATTRIBUTE
# WITH ATTRIBUTE-SYNTAX
# caseIgnoreStringSyntax
# (SIZE (1 .. ub-information))
# ::= {pilotAttributeType 4}
#
attributetype ( 0.9.2342.19200300.100.1.4 NAME 'info'
DESC 'RFC1274: general information'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
...
#objectclass ( 0.9.2342.19200300.100.4.3 NAME 'pilotObject'
# DESC 'RFC1274: pilot object'
# SUP top AUXILIARY
# MAY ( info $ photo $ manager $ uniqueIdentifier $
# lastModifiedTime $ lastModifiedBy $ dITRedirect $ audio )
# )
So it appears info attribute won't work without changing the schema as
distributed by Debian's Jessie package package 2.4.40+dfsg-1+deb8u2 or
OpenLDAP 2.4.44.
Why? The info attribute is well defined.
And it appears extensibleObject is not available as an attribute either:
cp@io:/tmp/openldap-2.4.44$ grep -ri extensibleObject servers/slapd/schema/
extensibleObject is hardcoded in OpenLDAP, see servers/slapd/schema_prep.c
I should also note, I wasn't asking a question in the bug report.
Well, seems it's not a bug from my point of view.
However since I am sending a message to the LTB users list. What
attributes are people using for the $mail_attribute attribute when
using the "Reset by mail tokens" feature? The mail attribute doesn't
seem like a good choice because we would want to send the message to
another email provider.
You can use any attribute of the objectClass that you use for your user
accounts. If you use inetOrgPerson for example, you have the choice:
objectclass ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY (
audio $ businessCategory $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledURI $ mail $ manager $ mobile $ o $ pager $
photo $ roomNumber $ secretary $ uid $ userCertificate $
x500uniqueIdentifier $ preferredLanguage $
userSMIMECertificate $ userPKCS12 )
)
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
_______________________________________________
ltb-users mailing list
ltb-users@lists.ltb-project.org
http://lists.ltb-project.org/listinfo/ltb-users
