[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-directory-users
Subject: RE: [Fedora-directory-users] Account expiration on Solaris 2.8
From: "Tay, Gary" <Gary_Tay () platts ! com>
Date: 2005-11-19 2:43:57
Message-ID: A04B6AE6ED3BD742B64D5B17093F64E201414A1D () IMSSGPX01 ! ims ! mhm ! mhc
[Download RAW message or body]
[Attachment #2 (text/plain)]
I believe the ACL and another one, see related post, are added by SUN DS5.2 \
"idsconfig" command (iPlanet Directory Server Config), since FDS7.1 does not provide \
this command, these two ACLs do not exist, you could simply add them in at the \
"dc=example,dc=com" (defaultSearchBase) level, using copy and paste and manual \
editing mode.
See related post:
https://www.redhat.com/archives/fedora-directory-users/2005-July/msg00133.html
I have seen Account Management features like account lockout, account pw reset \
leading to user forced pw change, and account expiration working on Solaris Native \
LDAP Client libraries, if you use OpenLDAP+PADL Client libraries, I do not what will \
be in for you, most likely it won't work.
I highly recommend the use of Native Client libs, or else when SUN changes something \
your hard worked craft may not be working anymore.
Gary
-----Original Message-----
From: fedora-directory-users-bounces@redhat.com on behalf of Vsevolod (Simon) \
Ilyushchenko Sent: Sat 11/19/2005 2:49 AM
To: General discussion list for the Fedora Directory server project.
Cc:
Subject: Re: [Fedora-directory-users] Account expiration on Solaris 2.8 doesnotwork.
Gary,
You totally rule! Thanks! I'll try patching next week.
BTW - I'm not using native Solaris client, I have installed the Openldap
client libraries.
How do I change the ACL below? If I select "access permissions" menu
item on the dc=example,dc=com, I get a window with the following ACls
defined:
Enable anonymous access
Enable self write for common attributes
Configuration Administrator
Configuration Administrator Group
Directory Administrator Group
SIE Group
I can also add new ACLs, but I'm not sure how to find the one you are
referring to.
Thanks,
Simon
> 1) Did you change this ACL? this is a workaround to make pam_ldap
work with account management.
>
> In FDS, open Directory Server, select defaultSearchBase, i.e.
dc=example,dc=com and edit one of the listed ACIs, which is usually
named "LDAP_Naming_Services_proxy_password_read":
>
> Change it.
>
> From:
> (target="ldap:///dc=example,dc=com")(targetattr="userPa
ssword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read;
allow (compare,read,search) userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com"
;)<http://swforum.sun.com/jive/images/emoticons/wink.gif>
>
> To:
> (target="ldap:///dc=example,dc=com")(targetattr="us
erPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read;
allow (compare,search) userdn =
ldap:///cn=proxyagent,ou=profile,dc=example,dc=com
;)<http://swforum.sun.com/jive/images/emoticons/wink.gif>
>
>
> 2) After creating user entry, did you add "posixAccount" as well as
"shadowAccount" to them in admin. console? and enter values for
uidNumber and gidNumber posixAccount attributes.
>
> 3) Make VERY sure that your user entry contains VALID homeDirectory
path and loginShell.
>
> 4) If netgroup compat mode is used on Solaris8 Native LDAP Client,
you got to blank out 2nd and 3rd fields of all +@netgroupX lines, eg:
>
> +@netgroup1 <mailto:+@netgroup1> ::::::::
> +@netgroup2 <mailto:+@netgroup2> ::::::::
>
> 5) Make sure LDAP domain name in /etc/defautdomain is defined at
Solaris8 LDAP Client, and a nisDomainObject "example.com" exists at the
root entry of the LDAP DIT.
>
> # echo "example.com" >/etc/defaultdomain
> # domainname `cat /etc/defaultdomain`
>
> 6) Check that passwordStorageScheme in cn=config is "crypt"
>
> Gary
>
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com on behalf of
Vsevolod (Simon) Ilyushchenko
> Sent: Sat 11/19/2005 1:26 AM
> To: General discussion list for the Fedora Directory server project.
> Cc:
> Subject: [Fedora-directory-users] Account expiration on Solaris 2.8
does notwork.
>
>
>
> Hi,
>
> I have successfully configured a Solaris 2.8 box to use FDS as the
> authentication server. However, one detail eludes me.
>
> I'd like to be able to inactivate accounts. This feature works fine with
> Linux clients. With Solaris, I can get either LDAP inactivation or local
> accounts work. :(
>
> If I have this in pam.conf, then the LDAP accounts are locked out
> correctly, but local accounts don't work at all!
>
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1 server_policy
> other account required pam_ldap.so
>
> If I run ssh -d -d -d to a local account, it tells me:
> debug3: PAM: do_pam_account pam_acct_mgmt = 13 (No account present
for user)
>
> On the other hand, if I have this in pam.conf (and that's what Gary
> Tay's guide recommends), than local accounts work fine, but I have a
> locked LDAP account that accepts ANY password:
>
> other account requisite pam_roles.so.1
> other account binding pam_unix_account.so.1 server_policy
> other account required pam_ldap.so
>
> Is there a particular patch set, perhaps, that would solve this?
>
> Thanks,
> Simon
> --
>
> Simon (Vsevolod ILyushchenko) simonf@cshl.edu
> http://www.simonf.com
>
> "Think like a man of action, act like a man of thought."
>
> Henri Bergson
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Simon (Vsevolod ILyushchenko) simonf@cshl.edu
http://www.simonf.com
"Think like a man of action, act like a man of thought."
Henri Bergson
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
["winmail.dat" (application/ms-tnef)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic