Hi Florian, Florian Manschwetus píše v čt 01. 07. 2010 v 12:40 +0200: > We use ms AD 2008 as ldap / kerberos for our opensolaris machines. > So far it works fine, but: > 1. It would be nice to have roles assigned to users, by ad group > membership (especially root role access for Domain\ Admins).
I would say this is more security than naming but I am not an expert in this area at all. You can fill RFE on bugs.opensolaris.org, of course. > 2. Logon (ssh what else) managed by group membership (as in linux > possible with /etc/security/access.conf and pam_access) I think pam_list could be enhanced in way to support group membership. If you see benefit in it, you can fill RFE for it also. Also it seems that pam_access was improved to support Solaris at least once in its history, so it should not be big problem to port it again I think. > 3. To have nss_ldap or a replacement, be able to understand recursive > groups using DN as member attribute as linux nss_switch could do (No > worry apache ldap is also unable to do so, but it knows DN for direct > membership, at least a small improvement) > Again, RFE on bugs.opensolaris.org is always welcomed. Good patches also :-) > Maybe some one could give me a hint here. > Best regards, Milan > thx, > Florian > > Am 30.06.2010 15:47, schrieb Piotr Jasiukajtis: > > It works well for me, thanks, > > > > On Wed, Jun 30, 2010 at 2:13 PM, Milan Jurik <[email protected]> wrote: > >> Hi, > >> > >> On 06/30/10 13:46, Piotr Jasiukajtis wrote: > >>> > >>> Hi, > >>> > >>> Where can I find an example on how to use SolarisAuthAttr objects in > >>> the LDAP directory? > >>> What I would like do to is to move /etc/user_attr from the clients to > >>> the server. > >>> > >>> > >> > >> Is ldapaddent command helpful for you? > >> > >> Best regards, > >> > >> Milan > >> > > > > > > > > _______________________________________________ security-discuss mailing list [email protected]
