[Fedora-directory-users] fds on solaris 9 with PAM
Tay, Gary
Gary_Tay at platts.com
Tue Sep 20 14:41:35 UTC 2005
It is recommended that latest kernel and LDAP patch be applied to Solaris boxes.
You may follow:
http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm
and
http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenSSH%20with%20pam_ldap%20for%20Solaris9.htm
You should add "shadowAccount" objectclass to the LDAP user entries if it is not already there, as there may be evidence in access log file that Solaris LDAP client is looking for these attributes "uid userPassword shadowFlag", i.e. it needs shadowAccount objectClass which provides shadowFlag.
FDS may create ou=Groups which is based on groupOfUniqueNames, Solaris LDAP Client would probably use posixGroup/memberUid, so you should create an ou=group to contain all posixGroups.
If you use OpenSSH, you should compile/build it "--with-pam" and have "UsePAM" (it may be called PAMAuthenticationViaKbdInt yes in older version of OpenSSH) in sshd_config file, SUN version of SSH should already have PAM support compiled in.
Gary
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com on behalf of Basile Mathieu
Sent: Tue 9/20/2005 3:03 AM
To: fedora-directory-users at redhat.com
Cc:
Subject: [Fedora-directory-users] fds on solaris 9 with PAM
hi
i ve got FDS install on a Solaris 9 server and want use
FDS as /etc/passwd and /etc/shadow files
FDS works fine i can populate the directory ( and use all ldapcommand ) and
id , getent , su ldaplist commands works fine
here are my problems :
login, ssh , telnet don t work with users in the directory
here are logs of sshd
sshd[1523]: [ID 800047 auth.error] error: PAM: No account present for user for
bmathieu from gentoo1
and for login
login: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple
bind failed - Invalid credentials
a user can t change his passwd ( root can , and i can modify the password
with ldapmodify binding as this user )
i think that PAM don t work
here is my /etc/pam.conf
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#sshd auth requisite pam_authtok_get.so.1
#sshd auth required pam_dhkeys.so.1
#sshd auth binding pam_unix_auth.so.1 server_policy
#sshd auth required pam_ldap.so.1
#sshd account required pam_unix_account.so.1
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth required pam_ldap.so.1
sshd account required pam_unix_account.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
#rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
#rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
#other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
thanks
--------------------------------------------------------
Ce message a été envoyé par le Webmail Sorbonne via IMP.
http://courrier.sorbonne.fr/ http://mail.sorbonne.fr/
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 11242 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050920/c67b24cb/attachment.bin>
More information about the Fedora-directory-users
mailing list