objectclass needed for host attribute


This topic has 7 replies, 4 voices, and was last updated 4 years, 1 month ago by Andy Cory.

  • Author
  • #23022

    I want to use the host attribute to restrict the user that can login to a server.

    i use this ldif:

    dn: uid=mwa_test,dc=exemple,dc=com
    changetype: modify
    add: host
    host: cjlldapclttst.exemple.com

    but it gives an error that it is not allowed by any object class defined in that entry.

    these are the objectlasses defined:
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: top
    objectClass: shadowAccount

    some info no the web says i need to install nss_ldap and add the hostObject objectclass but does it apply to DS6?

    I am running directory services 6.


     Chris Ridd

    Our default schema defines the host attribute from RFC 4524, and the account objectClass (also from RFC 4524) allows the use of the host attribute. I don’t know where hostObject is defined.

    attributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' EQUALITY caseIgnoreMatch
      SUBSTR caseIgnoreSubstringsMatch SYNTAX{256}
      X-ORIGIN 'RFC 4524' )
    objectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL
      MUST uid MAY ( description $ seeAlso $ l $ o $ ou $ host )
      X-ORIGIN 'RFC 4524' )

    So I think you just need to add the account objectClass to your entry.


    I tried that but gives the following error:

    #!ERROR [LDAP: error code 65 – Entry uid=mwa_test,ou=People,dc=exemple,dc=com … cannot be modified because the resulting entry would have violated the server schema: Entry uid=mwa_test,ou=People,dc=exemple,dc=com violates the Directory Server schema configuration because it includes multiple conflicting structural objectclasses inetOrgPerson and account. Only a single structural objectclass is allowed in an entry]

    can I replace interOrgPerson by account and still be able to use the account to login into servers?

    I read that i could add extensibleobject instead and then could add the host attribute?

    thanks alot.

     Michelle Reagin

    Yes, it fails because there is already a structural objectclass assigned to the entry that is not in the same chain of structural objectclasses (inetOrgPerson, organizationalPerson, and person are in a different chain than account). I would recommend creating a custom objectclass that’s auxiliary and allows (or requires) attribute host and assign the custom objectclass and attribute to the user.

     Chris Ridd

    Perhaps that’s all the hostObject objectClass is, that the OP found.


    seem that adding the extensibleobject objectClass I can add a host attribute.
    I do not really understand how this objectClass work but internet research always seem to point to this object class.



     Chris Ridd

    While extensibleObject will work, it allows any attribute. Our Developer’s Guide recommends against it in general.

     Andy Cory

    Using extensibleObject may solve the issue, but it’s opening the door wider than required. Adding a custom auxiliary objectClass as Michelle suggests is not a major task, and has to be a better way to go.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?