[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x

On Thu, 2003-05-08 at 22:40, Howard Chu wrote:
> > -----Original Message-----
> > From: Luke Howard [mailto:lukeh@PADL.COM]
> > > OpenLDAPperson objectclass       */
> > >+	/* instead of the person object class */
> > >+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
> > "OpenLDAPperson" );
> > > 	if (ret != 0) {
> > > 	    goto out;
> >
> > What's the rationale behind this?
> I don't quite understand this one either. I'm guessing the change in
> objectclass is just to get an object that allows the 'uid' attributeType.
> Jose, is that the idea?

Well that's a very good question. I realized that is not needed to
replace the person objectclass by the OpenLDAPperson objectclass in the
original code to add krb5principal entryes in OpenLDAP. 

I think I did this change because I wanted to modify the krb5principal
entries created from the kadmin tool to add new attributes from the
pilotPerson and the InetOrgPerson objectclasses with a external program.

The problem was that when I tried to use ldapmodify to change the entry
a was getting the following error:

ldap_modify: Cannot modify object class (69)
        additional info: structural object class modification from
'person' to 'OpenLDAPPerson' not allowed.

So my firts idea was to change the hdb-ldap interfase so I could avoid
the previous problem 8-{. I didn't search for other solution to modify
the original entry.

This is the original entry extended with the OpenLDAP objectclass I have
in my LDAP server:

# albertop@security.test.com.mx, security, test, com.mx
dn: cn=albertop@security.test.com.mx,ou=security,o=test,dc=com,dc=mx
krb5PrincipalName: albertop@SECURITY.TEST.COM.MX
krb5KeyVersionNumber: 1
krb5MaxLife: 86400
krb5MaxRenew: 604800
krb5KDCFlags: 126
krb5Key:: MEagAwIBAaE/MD2gAwIBEKE2BDTounHSaMVlgr6le8EXSItppj1xA4M9H+1YJTcp5S4R
krb5Key:: MDagAwIBAaEvMC2gAwIBA6EmBCSA8GCwQCJAftw7uRz01eQAtUV+rjhnrtVP7B0XTAKJ
krb5Key:: MDagAwIBAaEvMC2gAwIBAqEmBCSufmEE+Se405upjhDrgAyu4SJ08A3YFhuahWRYBxir
krb5Key:: MDagAwIBAaEvMC2gAwIBAaEmBCQRX5yNEQd3pDe2sdFr6rXiuZmXzG3uQtilsegdVPJ3
uid: albertop
objectClass: top
objectClass: OpenLDAPperson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: krb5KDCEntry
cn: albertop@security.test.com.mx
cn: Jose Alberto Patino Limon
cn: Alberto Patino
sn: Patino
title: Kerberos y LDAP Guru
postalAddress:: SVREIFByb2QgRGV2ICYgRGVwbG95bWVudCAkIFZpdG8gQWxlc3NpbyBSb2JsZX
mail: jalbertop@aranea.com.mx
homePostalAddress: Polvora 11 San Fernando  $ Huixquilucan , Edo Mex 52765
description: Seguridad, LDAP y Kerberos 
drink: Tamarindo Clight
homePhone: +5 815 18 83
pager: +044555 101 66 84
telephoneNumber: +5 661 37 80
userPassword:: e2NyeXB0fW52ZkVpMWdwdTdQNEU=
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/albertop
gecos: Alberto Patino Limon

In conclusion, you both are right guys, is not needed to replace the
person objectclass with the OpenLDAPperson objectclass. The hdb-ldap
interfase works with no changes to the objectclass attribute.