Fedora directory users - Aug 2005 - How to get the hosts for host login restriction

As it turns out, PADL''s nss/pam ldap ships with a schema that does this
very thing.  On my RHEL4 system, there is a file called
/usr/share/doc/nss_ldap-226/ldapns.schema which contains the following:
# $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $

# LDAP Name Service Additional Schema

# http://www.iana.org/assignments/gssapi-service-names

attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME
''authorizedService''
        DESC ''IANA GSS-API authorized service name''
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME
''authorizedServiceObject''
        DESC ''Auxiliary object class for adding authorizedService
attribute''
        SUP top
        AUXILIARY
        MAY authorizedService )

objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME ''hostObject''
        DESC ''Auxiliary object class for adding host
attribute''
        SUP top
        AUXILIARY
        MAY host )

It''s already a standard in the sense that it already has an official 
IANA OID assigned to the hostObject objectclass.  It''s been included 
with nss/pam ldap for years.

Rich Megginson wrote:
> As it turns out, PADL''s nss/pam ldap ships with a schema that does
this
> very thing.  On my RHEL4 system, there is a file called
> /usr/share/doc/nss_ldap-226/ldapns.schema which contains the following:
What do you think about packaging that with FDS, in the proper format?


--
mike

Mike Jackson wrote:
> Rich Megginson wrote:
>
>> As it turns out, PADL''s nss/pam ldap ships with a schema that
does
>> this very thing.  On my RHEL4 system, there is a file called
>> /usr/share/doc/nss_ldap-226/ldapns.schema which contains the following:
>
>
> What do you think about packaging that with FDS, in the proper format?
Absolutely.  It''s on my to do list for the next release.
>
>
> -- 
> mike
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Hi, guys.  I finally got the solaris box to talk to the FDS (thank you all for
your
help).

I''m now having a problem where I can''t telnet/ssh from another
machine.

On the client, I have this:

bash-2.03# ldaplist -l passwd testdba
dn: uid=testdba,ou=People, dc=composers,dc=foo,dc=com
        givenName: oracle
        sn: user
        loginShell: /bin/bash
        uidNumber: 10001
        gidNumber: 7000
        objectClass: top
        objectClass: person
        objectClass: organizationalPerson
        objectClass: inetorgperson
        objectClass: posixAccount
        objectClass: shadowaccount
        uid: testdba
        cn: oracle user
        homeDirectory: /home/testdba
bash-2.03# 

The ACIs (in addition to the default ones):


Bind Password:
dc=composers,dc=foo,dc=com

aci=(targetattr
"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning|
|shadowInactive||shadowExpire||shadowFlag||memberUid"
)(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn =
"ldap:
///self";) 
aci=(target="ldap:///dc=composers,dc=foo,dc=com")(targetattr="userPassword")(version
3.0;
acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn =
"
ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com";)



There''s nothing in the /var/adm/messages.  My pam.conf [snipped] is
this:

# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_ldap.so.1 try_first_pass
login   auth required           pam_dial_auth.so.1

#ssh

sshd  auth sufficient /usr/lib/security/pam_ldap.so.1
sshd  auth required   /usr/lib/security/pam_unix.so.1 use_first_pass

---

The userPassword field is not displayed when I do ldaplist.  Is that normal? 
Even when I
do this:

/usr/bin/ldapsearch -D
"cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com" -h
cnyitlin02 -b dc=composers,dc=foo,dc=com objectclass=\*

uid=testdba,ou=People, dc=composers,dc=foo,dc=com
givenName=oracle
sn=user
loginShell=/bin/bash
uidNumber=10001
gidNumber=7000
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
objectClass=posixAccount
objectClass=shadowaccount
uid=testdba
cn=oracle user
homeDirectory=/home/testdba

How can I go about troubleshooting this?


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs