[Fedora-directory-users] Account expiration on Solaris 2.8 does notwork.

Vsevolod (Simon) Ilyushchenko simonf at cshl.edu
Fri Nov 18 18:49:35 UTC 2005 

Gary,

You totally rule! Thanks! I'll try patching next week.

BTW - I'm not using native Solaris client, I have installed the Openldap 
client libraries.

How do I change the ACL below? If I select "access permissions" menu 
item on the dc=example,dc=com, I get a window with the following ACls 
defined:

Enable anonymous access
Enable self write for common attributes
Configuration Administrator
Configuration Administrator Group
Directory Administrator Group
SIE Group

I can also add new ACLs, but I'm not sure how to find the one you are 
referring to.

Thanks,
Simon


 > 1) Did you change this ACL? this is a workaround to make pam_ldap 
work with account management.
 >
 > In FDS, open Directory Server, select defaultSearchBase, i.e. 
dc=example,dc=com and edit one of the listed ACIs, which is usually 
named “LDAP_Naming_Services_proxy_password_read”:
 >
 > Change it.
 >
 > From:
 > (target="ldap:///dc=example,dc=com")(targetattr="userPa 
ssword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; 
allow (compare,read,search) userdn = 
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com" 
;)<http://swforum.sun.com/jive/images/emoticons/wink.gif>
 >
 > To:
 > (target="ldap:///dc=example,dc=com")(targetattr="us 
erPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; 
allow (compare,search) userdn = 
ldap:///cn=proxyagent,ou=profile,dc=example,dc=com 
;)<http://swforum.sun.com/jive/images/emoticons/wink.gif>
 >
 >
 > 2) After creating user entry, did you add "posixAccount" as well as 
"shadowAccount" to them in admin. console? and enter values for 
uidNumber and gidNumber posixAccount attributes.
 >
 > 3) Make VERY sure that your user entry contains VALID homeDirectory 
path and loginShell.
 >
 > 4) If netgroup compat mode is used on Solaris8 Native LDAP Client, 
you got to blank out 2nd and 3rd fields of all + at netgroupX lines, eg:
 >
 > + at netgroup1 <mailto:+ at netgroup1> ::::::::
 > + at netgroup2 <mailto:+ at netgroup2> ::::::::
 >
 > 5) Make sure LDAP domain name in /etc/defautdomain is defined at 
Solaris8 LDAP Client, and a nisDomainObject "example.com" exists at the 
root entry of the LDAP DIT.
 >
 > # echo "example.com" >/etc/defaultdomain
 > # domainname `cat /etc/defaultdomain`
 >
 > 6) Check that passwordStorageScheme in cn=config is "crypt"
 >
 > Gary
 >
 > 	-----Original Message-----
 > 	From: fedora-directory-users-bounces at redhat.com on behalf of 
Vsevolod (Simon) Ilyushchenko
 > 	Sent: Sat 11/19/2005 1:26 AM
 > 	To: General discussion list for the Fedora Directory server project.
 > 	Cc:
 > 	Subject: [Fedora-directory-users] Account expiration on Solaris 2.8 
does notwork.
 > 	
 > 	
 >
 > 	Hi,
 > 	
 > 	I have successfully configured a Solaris 2.8 box to use FDS as the
 > 	authentication server. However, one detail eludes me.
 > 	
 > 	I'd like to be able to inactivate accounts. This feature works fine with
 > 	Linux clients. With Solaris, I can get either LDAP inactivation or local
 > 	accounts work. :(
 > 	
 > 	If I have this in pam.conf, then the LDAP accounts are locked out
 > 	correctly, but local accounts don't work at all!
 > 	
 > 	other   account requisite pam_roles.so.1
 > 	other   account required  pam_unix_account.so.1 server_policy
 > 	other   account required  pam_ldap.so
 > 	
 > 	If I run ssh -d -d -d to a local account, it tells me:
 > 	debug3: PAM: do_pam_account pam_acct_mgmt = 13 (No account present 
for user)
 > 	
 > 	On the other hand, if I have this in pam.conf (and that's what Gary
 > 	Tay's guide recommends), than local accounts work fine, but I have a
 > 	locked LDAP account that accepts ANY password:
 > 	
 > 	other   account requisite pam_roles.so.1
 > 	other   account binding  pam_unix_account.so.1 server_policy
 > 	other   account required  pam_ldap.so
 > 	
 > 	Is there a particular patch set, perhaps, that would solve this?
 > 	
 > 	Thanks,
 > 	Simon
 > 	--
 > 	
 > 	Simon (Vsevolod ILyushchenko)   simonf at cshl.edu
 > 	                                http://www.simonf.com
 > 	
 > 	"Think like a man of action, act like a man of thought."
 > 	
 > 	                         Henri Bergson
 > 	
 > 	--
 > 	Fedora-directory-users mailing list
 > 	Fedora-directory-users at redhat.com
 > 	https://www.redhat.com/mailman/listinfo/fedora-directory-users
 > 	
 >
 >
 >
 > ------------------------------------------------------------------------
 >
 > --
 > Fedora-directory-users mailing list
 > Fedora-directory-users at redhat.com
 > https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- 

Simon (Vsevolod ILyushchenko)   simonf at cshl.edu
				http://www.simonf.com

"Think like a man of action, act like a man of thought."

		         Henri Bergson

More information about the Fedora-directory-users mailing list