Tay, Gary
2005-Nov-18 18:11 UTC
RE: [Fedora-directory-users] Account expiration on Solaris 2.8 does notwork.
While trying it against SUN ONE DS5.2, it actually worked, and below are the lessons learned: 0) Make sure Solaris8 Native LDAP Client has latest kernel and LDAP Patch 108993-49. 1) Did you change this ACL? this is a workaround to make pam_ldap work with account management. In FDS, open Directory Server, select defaultSearchBase, i.e. dc=example,dc=com and edit one of the listed ACIs, which is usually named “LDAP_Naming_Services_proxy_password_read”: Change it. From: (target="ldap:///dc=example,dc=com")(targetattr="userPa ssword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,read,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com" ;)<http://swforum.sun.com/jive/images/emoticons/wink.gif> To: (target="ldap:///dc=example,dc=com")(targetattr="us erPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = ldap:///cn=proxyagent,ou=profile,dc=example,dc=com ;)<http://swforum.sun.com/jive/images/emoticons/wink.gif> 2) After creating user entry, did you add "posixAccount" as well as "shadowAccount" to them in admin. console? and enter values for uidNumber and gidNumber posixAccount attributes. 3) Make VERY sure that your user entry contains VALID homeDirectory path and loginShell. 4) If netgroup compat mode is used on Solaris8 Native LDAP Client, you got to blank out 2nd and 3rd fields of all +@netgroupX lines, eg: +@netgroup1 <mailto:+@netgroup1> :::::::: +@netgroup2 <mailto:+@netgroup2> :::::::: 5) Make sure LDAP domain name in /etc/defautdomain is defined at Solaris8 LDAP Client, and a nisDomainObject "example.com" exists at the root entry of the LDAP DIT. # echo "example.com" >/etc/defaultdomain # domainname `cat /etc/defaultdomain` 6) Check that passwordStorageScheme in cn=config is "crypt" Gary -----Original Message----- From: fedora-directory-users-bounces@redhat.com on behalf of Vsevolod (Simon) Ilyushchenko Sent: Sat 11/19/2005 1:26 AM To: General discussion list for the Fedora Directory server project. Cc: Subject: [Fedora-directory-users] Account expiration on Solaris 2.8 does notwork. Hi, I have successfully configured a Solaris 2.8 box to use FDS as the authentication server. However, one detail eludes me. I'd like to be able to inactivate accounts. This feature works fine with Linux clients. With Solaris, I can get either LDAP inactivation or local accounts work. :( If I have this in pam.conf, then the LDAP accounts are locked out correctly, but local accounts don't work at all! other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 server_policy other account required pam_ldap.so If I run ssh -d -d -d to a local account, it tells me: debug3: PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user) On the other hand, if I have this in pam.conf (and that's what Gary Tay's guide recommends), than local accounts work fine, but I have a locked LDAP account that accepts ANY password: other account requisite pam_roles.so.1 other account binding pam_unix_account.so.1 server_policy other account required pam_ldap.so Is there a particular patch set, perhaps, that would solve this? Thanks, Simon -- Simon (Vsevolod ILyushchenko) simonf@cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Vsevolod (Simon) Ilyushchenko
2005-Nov-18 18:49 UTC
Re: [Fedora-directory-users] Account expiration on Solaris 2.8 does notwork.
Gary, You totally rule! Thanks! I''ll try patching next week. BTW - I''m not using native Solaris client, I have installed the Openldap client libraries. How do I change the ACL below? If I select "access permissions" menu item on the dc=example,dc=com, I get a window with the following ACls defined: Enable anonymous access Enable self write for common attributes Configuration Administrator Configuration Administrator Group Directory Administrator Group SIE Group I can also add new ACLs, but I''m not sure how to find the one you are referring to. Thanks, Simon > 1) Did you change this ACL? this is a workaround to make pam_ldap work with account management. > > In FDS, open Directory Server, select defaultSearchBase, i.e. dc=example,dc=com and edit one of the listed ACIs, which is usually named “LDAP_Naming_Services_proxy_password_read”: > > Change it. > > From: > (target="ldap:///dc=example,dc=com")(targetattr="userPa ssword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,read,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com" ;)<http://swforum.sun.com/jive/images/emoticons/wink.gif> > > To: > (target="ldap:///dc=example,dc=com")(targetattr="us erPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = ldap:///cn=proxyagent,ou=profile,dc=example,dc=com ;)<http://swforum.sun.com/jive/images/emoticons/wink.gif> > > > 2) After creating user entry, did you add "posixAccount" as well as "shadowAccount" to them in admin. console? and enter values for uidNumber and gidNumber posixAccount attributes. > > 3) Make VERY sure that your user entry contains VALID homeDirectory path and loginShell. > > 4) If netgroup compat mode is used on Solaris8 Native LDAP Client, you got to blank out 2nd and 3rd fields of all +@netgroupX lines, eg: > > +@netgroup1 <mailto:+@netgroup1> :::::::: > +@netgroup2 <mailto:+@netgroup2> :::::::: > > 5) Make sure LDAP domain name in /etc/defautdomain is defined at Solaris8 LDAP Client, and a nisDomainObject "example.com" exists at the root entry of the LDAP DIT. > > # echo "example.com" >/etc/defaultdomain > # domainname `cat /etc/defaultdomain` > > 6) Check that passwordStorageScheme in cn=config is "crypt" > > Gary > > -----Original Message----- > From: fedora-directory-users-bounces@redhat.com on behalf of Vsevolod (Simon) Ilyushchenko > Sent: Sat 11/19/2005 1:26 AM > To: General discussion list for the Fedora Directory server project. > Cc: > Subject: [Fedora-directory-users] Account expiration on Solaris 2.8 does notwork. > > > > Hi, > > I have successfully configured a Solaris 2.8 box to use FDS as the > authentication server. However, one detail eludes me. > > I''d like to be able to inactivate accounts. This feature works fine with > Linux clients. With Solaris, I can get either LDAP inactivation or local > accounts work. :( > > If I have this in pam.conf, then the LDAP accounts are locked out > correctly, but local accounts don''t work at all! > > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 server_policy > other account required pam_ldap.so > > If I run ssh -d -d -d to a local account, it tells me: > debug3: PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user) > > On the other hand, if I have this in pam.conf (and that''s what Gary > Tay''s guide recommends), than local accounts work fine, but I have a > locked LDAP account that accepts ANY password: > > other account requisite pam_roles.so.1 > other account binding pam_unix_account.so.1 server_policy > other account required pam_ldap.so > > Is there a particular patch set, perhaps, that would solve this? > > Thanks, > Simon > -- > > Simon (Vsevolod ILyushchenko) simonf@cshl.edu > http://www.simonf.com > > "Think like a man of action, act like a man of thought." > > Henri Bergson > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Simon (Vsevolod ILyushchenko) simonf@cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson