Fedora directory users - Jan 2006 - question about host based access control

Hi.  I''ve fds 1.0.1 setup, posixAccount and hostObject classes added (I
migrated
/usr/share/doc/nss_ldap-226/ldapns.schema >
/opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif).

What''s the next step?  hostObject is added to the user:

givenName: test
sn: test
loginShell: /bin/bash
gidNumber: 666
uidNumber: 666
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: posixgroup
objectClass: hostobject
uid: test
cn: test test

now what?  Where in the console to I list the servers that
''test'' is allowed to connect
to?

Thanks!


		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com

--- Richard Megginson <rmeggins@redhat.com> wrote:
> In the Directory window in the Directory tab, select the user you want 
> to add access to, edit it, and use the Advanced.... editor. See 
> http://directory.fedora.redhat.com/wiki/Howto:Posix
right, I saw the link.  I used the advanced editor, added the hostobject object
class to
the user..  Now what?  Where do I list the hosts that the user is allowed to
connect to?


		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com

--- Richard Megginson <rmeggins@redhat.com> wrote:
> The directions for adding the "host" attribute are under
"Old Method" on
> http://directory.fedora.redhat.com/wiki/Howto:Posix
> "Finally, click on Add Attributes. Select "host" from the
list of
Ah.  I see the problem.  I didn''t have the "account" object
added, so host attribute was
not showing up.

Sorry!

Thank you for your help, Richard.



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

--- Richard Megginson <rmeggins@redhat.com> wrote:
> Susan wrote:
> 
> >--- Richard Megginson <rmeggins@redhat.com> wrote:
> >
Another follow-up, is shadowAccount object class required for a posix linux
account?
Because I don''t have it added to a test account and I seem to be able
to login fine.  If
it''s not required, why is it listed in the HowTo:Posix wiki?

Thanks.


		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com

Susan wrote:
>--- Richard Megginson <rmeggins@redhat.com> wrote:
>  
>
>>The directions for adding the "host" attribute are under
"Old Method" on
>>http://directory.fedora.redhat.com/wiki/Howto:Posix
>>"Finally, click on Add Attributes. Select "host" from the
list of
>>    
>>
>
>Ah.  I see the problem.  I didn''t have the "account"
object added, so host attribute was
>not showing up.
>  
>
You should not need the "account" object class when using the new
method.
>Sorry!
>
>Thank you for your help, Richard.
>
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Hi.  Is this possible?  Can user test, UID 42 have different passwords depending
on the
server she''s trying to login to?




		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com

--- Richard Megginson <rmeggins@redhat.com> wrote:
> You should not need the "account" object class when using the new
method.
hmm...   Well, the host attribute does not show up unless I add the account
object class.
 It shows up in the global list of attributes and in the schemas

[root@cnyldap01 schema]# grep attributeType * | grep \''host
28pilot.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.9 NAME
''host'' DESC ''Standard LDAP
attribute type'' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
''RFC 1274'' )

but when I click add attribute, it''s not there.  Adding account oClass
makes the host
attr available.

And I did use the new method, all I did is run this:
ol-schema-migrate.pl /usr/share/doc/nss_ldap-226/ldapns.schema >
/opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif

and bounced slapd.  hostobject object class became available but not the host
attribute.



		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com

Susan wrote:
>Hi.  Is this possible?  Can user test, UID 42 have different passwords
depending on the
>server she''s trying to login to?
>  
>
Not unless the server has a local account for the user and pam is 
configured to check that first.

-- 
Pete

You can create an new attribute to hold the user password and use the
attribute mapping function in /etc/ldap.conf (examples are in the file)
if you are running Linux on the client.

I have never had to do this with a Solaris client, so I am not sure if
the Solaris Profile has this ability or not.

We have done this in some very specific instances, but I do not
recommend it for long term supportability.

Jamie



On Wed, 2006-01-04 at 12:26 -0800, Susan wrote:
> Hi.  Is this possible?  Can user test, UID 42 have different passwords
depending on the
> server she''s trying to login to?
> 
> 
> 
> 
> 		
> __________________________________________ 
> Yahoo! DSL – Something to write home about. 
> Just $16.99/mo. or less. 
> dsl.yahoo.com 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users