While trying it against SUN ONE DS5.2, it actually worked, and below are the lessons learned: 0) Make sure Solaris8 Native LDAP Client has latest kernel and LDAP Patch 108993-49. 1) Did you change this ACL? this is a workaround to make pam_ldap work with account management.
In FDS, open Directory Server, select defaultSearchBase, i.e. dc=example,dc=com and edit one of the listed ACIs, which is usually named “LDAP_Naming_Services_proxy_password_read”: Change it. From: (target="ldap:///dc=example,dc=com";)(targetattr="userPa ssword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,read,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com"; ;)<http://swforum.sun.com/jive/images/emoticons/wink.gif> To: (target="ldap:///dc=example,dc=com";)(targetattr="us erPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = ldap:///cn=proxyagent,ou=profile,dc=example,dc=com ;)<http://swforum.sun.com/jive/images/emoticons/wink.gif> 2) After creating user entry, did you add "posixAccount" as well as "shadowAccount" to them in admin. console? and enter values for uidNumber and gidNumber posixAccount attributes. 3) Make VERY sure that your user entry contains VALID homeDirectory path and loginShell. 4) If netgroup compat mode is used on Solaris8 Native LDAP Client, you got to blank out 2nd and 3rd fields of all [EMAIL PROTECTED] lines, eg: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> :::::::: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> :::::::: 5) Make sure LDAP domain name in /etc/defautdomain is defined at Solaris8 LDAP Client, and a nisDomainObject "example.com" exists at the root entry of the LDAP DIT. # echo "example.com" >/etc/defaultdomain # domainname `cat /etc/defaultdomain` 6) Check that passwordStorageScheme in cn=config is "crypt" Gary -----Original Message----- From: [EMAIL PROTECTED] on behalf of Vsevolod (Simon) Ilyushchenko Sent: Sat 11/19/2005 1:26 AM To: General discussion list for the Fedora Directory server project. Cc: Subject: [Fedora-directory-users] Account expiration on Solaris 2.8 does notwork. Hi, I have successfully configured a Solaris 2.8 box to use FDS as the authentication server. However, one detail eludes me. I'd like to be able to inactivate accounts. This feature works fine with Linux clients. With Solaris, I can get either LDAP inactivation or local accounts work. :( If I have this in pam.conf, then the LDAP accounts are locked out correctly, but local accounts don't work at all! other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 server_policy other account required pam_ldap.so If I run ssh -d -d -d to a local account, it tells me: debug3: PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user) On the other hand, if I have this in pam.conf (and that's what Gary Tay's guide recommends), than local accounts work fine, but I have a locked LDAP account that accepts ANY password: other account requisite pam_roles.so.1 other account binding pam_unix_account.so.1 server_policy other account required pam_ldap.so Is there a particular patch set, perhaps, that would solve this? Thanks, Simon -- Simon (Vsevolod ILyushchenko) [EMAIL PROTECTED] http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<winmail.dat>>
-- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
