[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
On Thu, 2003-05-08 at 22:40, Howard Chu wrote:
> > -----Original Message-----
> > From: Luke Howard [mailto:lukeh@PADL.COM]
> > > OpenLDAPperson objectclass */
> > >+ /* instead of the person object class */
> > >+ ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
> > "OpenLDAPperson" );
> > > if (ret != 0) {
> > > goto out;
> >
> > What's the rationale behind this?
>
> I don't quite understand this one either. I'm guessing the change in
> objectclass is just to get an object that allows the 'uid' attributeType.
> Jose, is that the idea?
>
Well that's a very good question. I realized that is not needed to
replace the person objectclass by the OpenLDAPperson objectclass in the
original code to add krb5principal entryes in OpenLDAP.
I think I did this change because I wanted to modify the krb5principal
entries created from the kadmin tool to add new attributes from the
pilotPerson and the InetOrgPerson objectclasses with a external program.
The problem was that when I tried to use ldapmodify to change the entry
a was getting the following error:
ldap_modify: Cannot modify object class (69)
additional info: structural object class modification from
'person' to 'OpenLDAPPerson' not allowed.
So my firts idea was to change the hdb-ldap interfase so I could avoid
the previous problem 8-{. I didn't search for other solution to modify
the original entry.
This is the original entry extended with the OpenLDAP objectclass I have
in my LDAP server:
# albertop@security.test.com.mx, security, test, com.mx
dn: cn=albertop@security.test.com.mx,ou=security,o=test,dc=com,dc=mx
krb5PrincipalName: albertop@SECURITY.TEST.COM.MX
krb5KeyVersionNumber: 1
krb5MaxLife: 86400
krb5MaxRenew: 604800
krb5KDCFlags: 126
krb5Key:: MEagAwIBAaE/MD2gAwIBEKE2BDTounHSaMVlgr6le8EXSItppj1xA4M9H+1YJTcp5S4R
Ta/i/dmNWmmtKzDiYFTln8zK2sSZ
krb5Key:: MDagAwIBAaEvMC2gAwIBA6EmBCSA8GCwQCJAftw7uRz01eQAtUV+rjhnrtVP7B0XTAKJ
RqpASmw=
krb5Key:: MDagAwIBAaEvMC2gAwIBAqEmBCSufmEE+Se405upjhDrgAyu4SJ08A3YFhuahWRYBxir
ei7jtcc=
krb5Key:: MDagAwIBAaEvMC2gAwIBAaEmBCQRX5yNEQd3pDe2sdFr6rXiuZmXzG3uQtilsegdVPJ3
c43dtBQ=
uid: albertop
objectClass: top
objectClass: OpenLDAPperson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: krb5KDCEntry
cn: albertop@security.test.com.mx
cn: Jose Alberto Patino Limon
cn: Alberto Patino
sn: Patino
title: Kerberos y LDAP Guru
postalAddress:: SVREIFByb2QgRGV2ICYgRGVwbG95bWVudCAkIFZpdG8gQWxlc3NpbyBSb2JsZX
MgIzY4IDFlciBQaXNvICQgQ29sIEZsb3JpZGEsIE1leGljbyBERiA=
mail: jalbertop@aranea.com.mx
homePostalAddress: Polvora 11 San Fernando $ Huixquilucan , Edo Mex 52765
description: Seguridad, LDAP y Kerberos
drink: Tamarindo Clight
homePhone: +5 815 18 83
pager: +044555 101 66 84
telephoneNumber: +5 661 37 80
userPassword:: e2NyeXB0fW52ZkVpMWdwdTdQNEU=
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/albertop
gecos: Alberto Patino Limon
In conclusion, you both are right guys, is not needed to replace the
person objectclass with the OpenLDAPperson objectclass. The hdb-ldap
interfase works with no changes to the objectclass attribute.