1

We have a legacy custom webapp that authenticates users against an OpenLDAP server. We are trying to set up another, separate OpenLDAP server to replace the older one, but we need to make the new OpenLDAP server compatible with this legacy app. The app reads a 'host' attribute from the user's attributes to get their permissions level for the app.

My problem is that whenever I try to manually add the 'host' attribute to any 'person' in the new directory I get the error: #!ERROR [LDAP: error code 65 - attribute 'host' not allowed].

I've tried Apache DS, ldapvi, ldapmodify, etc to add this attribute but no matter what I try it says its not allowed.

Is there an easy way to add this 'host' attribute already defined in cosine.(ldif|schema) to the 'person' objectclass defined in core.(ldif|schema)? I'm relatively new to ldap schema and am looking for the shortest and easiest method available.

Improve this question

2 Answers 2

Reset to default
1

I would create a new custom objectclass "MyCompanyPerson", defining it as deriving from person, and adding or creating the attributes I wanted. Does that sound like it's what you want?

EDIT:

I'm not a world expert on this, but this is an anonymized version of what I am using today. It's annoying that there are no local-use OIDs (no way that my LDAP is ever getting connected to somebody else's), but you can request your own OID if you want.

$ for i in * ; do echo ; echo $i ; echo ; cat $i | sed 's/^/ /' ; done

mycompany.conf

include /etc/openldap/schema/oidmacros include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/mycompany.schema

mycompany.schema

attributeType ( MyCompanyInternalTelephone-oid NAME 'MyCompanyInternalTelephone' DESC 'MyCompany Internal Telephone' EQUALITY telephoneNumberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 SINGLE-VALUE X-ORIGIN 'Custom MyCompany Internal Telephone Directory' ) attributeType ( MyCompanyPhotoURL-oid NAME 'MyCompanyPhotoURL' DESC 'MyCompany Photo URL' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Custom MyCompany Wiki' ) objectClass ( MyCompanyPerson-oid NAME 'MyCompanyPerson' DESC 'MyCompany Person' SUP ( inetOrgPerson ) STRUCTURAL MUST ( ) MAY ( MyCompanyInternalTelephone $ MyCompanyPhotoURL $ sshPublicKey ) X-ORIGIN 'Custom MyCompany Directory' )

oidmacros

# OID Macros # # Yellowbank's IANA Assigned OID for testing objectIdentifier MyCompany 1.3.6.1.4.1.25948.1 objectIdentifier MyCompanyAT MyCompany:1 objectIdentifier MyCompanyOC MyCompany:2 objectIdentifier MyCompanyPhotoURL-oid MyCompanyAT:100 objectIdentifier MyCompanyInternalTelephone-oid MyCompanyAT:101 objectIdentifier MyCompanyPerson-oid MyCompanyOC:1

openssh.schema

# octetString SYNTAX attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) # printableString SYNTAX yes|no objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'MANDATORY: OpenSSH LPK objectclass' MAY ( sshPublicKey $ uid ) )
Improve this answer
2
  • This sounds good, can you go into more detail about how I would accomplish this? Commented Feb 3, 2016 at 20:36
  • Edited to add a sample config Commented Feb 4, 2016 at 8:36
1

You need to include the ldapns.schema

include /etc/openldap/schema/ldapns.schema

The ldapns schema gives you an auxiliary objectClass "hostObject". If you add this to your person, the "host" attribute would be available.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.