LDAP – how to use attribute from objectclass:account and objectclass:inetOrgPerson


I have an openLDAP which I use for authenticating users to various servers, where each user can have access to a varying number of hosts. I am solving that requirement by using the "host" attribute, and a filter in the PAM config of the machines using the LDAP for authentication, as described e.g. in https://wiki.debian.org/LDAP/PAM )by using the query "(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\*)))" )

Now I also have the need to add an attribute for emails to the user entries, for which objectclass:inetOrgPerson seems to be the best fit.

However, I can't use both objectclass:account and objectclass:inetOrgPerson at the same time; I can use objectclass:posixAccount and objectclass:inetOrgPerson, as described e.g. in Adding inetOrgPerson to account/posixAccount LDAP entries, but then I lose the "host" attribute.

Anyone having a suggestion how to solve this issue? Is "extensibleObject" the only way to go?

EDIT: In the end, I used extensibleObject for that; doesn't feel like the "correct" solution because it reduces the usefulness of schema checks, but it seems to have been the only reasonable way.

Best Answer

If it's strictly ssh you could use AllowGroups and/or its kin in ssh_config. (Note: rfc2703bis schema allows for inheritance in groups, at least with sssd, rfc2703 aka nis schema does not.)

Otherwise, use extensibleObject, or you could write your own schema either to AUX host or SUP to posixAccount.

You could also restrict responses using OpenLDAP's access control, but I'm not getting into the details of that.