1

We have a legacy custom webapp that authenticates users against an OpenLDAP server. We are trying to set up another, separate OpenLDAP server to replace the older one, but we need to make the new OpenLDAP server compatible with this legacy app. The app reads a 'host' attribute from the user's attributes to get their permissions level for the app.

My problem is that whenever I try to manually add the 'host' attribute to any 'person' in the new directory I get the error: #!ERROR [LDAP: error code 65 - attribute 'host' not allowed].

I've tried Apache DS, ldapvi, ldapmodify, etc to add this attribute but no matter what I try it says its not allowed.

Is there an easy way to add this 'host' attribute already defined in cosine.(ldif|schema) to the 'person' objectclass defined in core.(ldif|schema)? I'm relatively new to ldap schema and am looking for the shortest and easiest method available.

Karl
  • 111
  • 3

2 Answers2

1

I would create a new custom objectclass "MyCompanyPerson", defining it as deriving from person, and adding or creating the attributes I wanted. Does that sound like it's what you want?

EDIT:

I'm not a world expert on this, but this is an anonymized version of what I am using today. It's annoying that there are no local-use OIDs (no way that my LDAP is ever getting connected to somebody else's), but you can request your own OID if you want.

$ for i in * ; do echo ; echo $i ; echo ; cat $i | sed 's/^/    /' ; done

mycompany.conf

include /etc/openldap/schema/oidmacros
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/mycompany.schema

mycompany.schema

attributeType ( MyCompanyInternalTelephone-oid  NAME 'MyCompanyInternalTelephone'   DESC 'MyCompany Internal Telephone' EQUALITY telephoneNumberMatch   SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 SINGLE-VALUE X-ORIGIN 'Custom MyCompany Internal Telephone Directory' ) 
attributeType ( MyCompanyPhotoURL-oid   NAME 'MyCompanyPhotoURL'    DESC 'MyCompany Photo URL'  EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Custom MyCompany Wiki' ) 
objectClass ( MyCompanyPerson-oid   NAME 'MyCompanyPerson'  DESC 'MyCompany Person' SUP ( inetOrgPerson ) STRUCTURAL MUST ( )
    MAY ( MyCompanyInternalTelephone $ MyCompanyPhotoURL $ sshPublicKey )
    X-ORIGIN 'Custom MyCompany Directory' )

oidmacros

# OID Macros
#
# Yellowbank's IANA Assigned OID for testing
objectIdentifier  MyCompany                       1.3.6.1.4.1.25948.1
objectIdentifier  MyCompanyAT                     MyCompany:1
objectIdentifier  MyCompanyOC                     MyCompany:2

objectIdentifier MyCompanyPhotoURL-oid  MyCompanyAT:100
objectIdentifier MyCompanyInternalTelephone-oid MyCompanyAT:101

objectIdentifier MyCompanyPerson-oid    MyCompanyOC:1

openssh.schema

# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
    DESC 'MANDATORY: OpenSSH Public key' 
    EQUALITY octetStringMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
    DESC 'MANDATORY: OpenSSH LPK objectclass'
    MAY ( sshPublicKey $ uid ) 
    )
Law29
  • 3,557
  • 1
  • 16
  • 28
1

You need to include the ldapns.schema

include         /etc/openldap/schema/ldapns.schema

The ldapns schema gives you an auxiliary objectClass "hostObject". If you add this to your person, the "host" attribute would be available.

Cobra Kai Dojo
  • 447
  • 2
  • 6
  • 21