[Fedora-directory-users] adding an attribute, howto?
Richard Megginson
rmeggins at redhat.com
Thu Dec 21 19:04:31 UTC 2006
MJD Shop Account wrote:
> I would like to use the pam_passthru plugin to use kerberos
> authentication via pam_krb5, but am running into a few issues. I need
> to specify an attribute to use, as I have multiple realms--my uid is
> just a login name, for the kerberos to work I need <uid>@<realm>. I
> wasn't sure what to use for the attribute, and was thinking of
> hijacking the 'description' attribute for this purpose. However
> another posting to this list gave me the idea of just extending the
> schema with an additional attribute in 99user.ldif. I would likely
> want to copy the definition for 'uid' from, say class posixaccount,
> but rename it to krb5uid or something. Can anyone point me to
> detailed instructions? Is this trivial or difficult? I looked at the
> current schema files and was not sure what I wold need to copy to make
> it work, and how to add the new attribute explicitly to the class
> schema as an optional attribute.
It's not that difficult to create your own attribute. The hardest thing
is creating your own OID. If you just try to copy the definition of uid
without creating a unique OID, you will get lots of errors.
Once you do that, you can just add your new attribute using ldapmodify.
Not only will this add your new attribute type to 99user.ldif, but it
will also ensure that it will be replicated.
You should then create your own AUXILIARY objectclass that has your new
attribute type as an allowed attribute, and add this objectclass to all
users that you want to add the attribute to. Also add your objectclass
definition using ldapmodify to ensure it is replicated properly.
>
> What are the consequences of adding such an attribute when replication
> is occurring? I assume I must extend the schema on each server, what
> happens if I neglect to extend the schema on one server and it
> receives replica info that has this new attribute populated for some
> users?
Schema replication happens before data replication.
>
> I would also entertain the idea of having an attribute with just the
> realm (or a proxy for the realm), and constructing the krbuid
> equivalent via some operational attribute that constructs it via uid +
> "@" + realm on the fly, if this is possible. I might even be able to
> do this using existing location attribute or another existing
> attribute, I can easily determine the correct realm from
> corresponding location-specific info associated with each user. But,
> I don't know how to do this in practice.
This is not really possible. I suppose the right way to do this would
be to extend the SASL mapping code to be used by pam passthrough.
>
> Also, if anyone has an example pam ldapserver file they could share, I
> would appreciate it.
>
> -Marty
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20061221/474a42a0/attachment.bin>
More information about the Fedora-directory-users
mailing list