[Fedora-directory-users] allowing users to change their own passwords (solaris 10)

Susan logastellus at yahoo.com
Thu Feb 23 14:15:53 UTC 2006


No, looks like I messed up on copy & paste:

-bash-3.00# tail /etc/pam.conf
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#


I have it.

______________________________________________________


--- George Holbert <gholbert at broadcom.com> wrote:

> It looks like you're missing a password stack in your /etc/pam.conf.
> 
> I think you got the example pam.conf here:
> http://docs.sun.com/app/docs/doc/816-4556/6maort2tb?a=view
> ...but did you omit the bottom portion of the file?
> 
> This part:
> 
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other	session required	pam_unix_session.so.1
> #
> # Default definition for  Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other	password required	pam_dhkeys.so.1
> other	password requisite	pam_authtok_get.so.1
> other	password requisite	pam_authtok_check.so.1
> other	password required	pam_authtok_store.so.1
> 
> 
> 
> Susan wrote:
> > I got it from docs.sun.com:
> >
> > -bash-3.00# cat /etc/pam.conf
> > #
> > # Authentication management
> > #
> > # login service (explicit because of pam_dial_auth)
> > #
> > login   auth requisite          pam_authtok_get.so.1
> > login   auth required           pam_dhkeys.so.1
> > login   auth required           pam_dial_auth.so.1
> > login   auth required           pam_unix_cred.so.1
> > login   auth sufficient         pam_unix_auth.so.1
> > login   auth required           pam_ldap.so.1
> > #
> > # rlogin service (explicit because of pam_rhost_auth)
> > #
> > rlogin  auth sufficient         pam_rhosts_auth.so.1
> > rlogin  auth requisite          pam_authtok_get.so.1
> > rlogin  auth required           pam_dhkeys.so.1
> > rlogin  auth required           pam_unix_cred.so.1
> > rlogin  auth sufficient         pam_unix_auth.so.1
> > rlogin  auth required           pam_ldap.so.1
> > #
> > # rsh service (explicit because of pam_rhost_auth,
> > # and pam_unix_auth for meaningful pam_setcred)
> > #
> > rsh     auth sufficient         pam_rhosts_auth.so.1
> > rsh     auth required           pam_unix_cred.so.1
> > #
> > # PPP service (explicit because of pam_dial_auth)
> > #
> > ppp     auth requisite          pam_authtok_get.so.1
> > ppp     auth required           pam_dhkeys.so.1
> > ppp     auth required           pam_dial_auth.so.1
> > ppp     auth sufficient         pam_unix_auth.so.1
> > ppp     auth required           pam_ldap.so.1
> > #
> > # Default definitions for Authentication management
> > # Used when service name is not explicitly mentioned for authentication
> > #
> > other   auth requisite          pam_authtok_get.so.1
> > other   auth required           pam_dhkeys.so.1
> > other   auth required           pam_unix_cred.so.1
> > other   auth sufficient         pam_unix_auth.so.1
> > other   auth required           pam_ldap.so.1
> > #
> > # passwd command (explicit because of a different authentication module)
> > #
> > passwd  auth sufficient         pam_passwd_auth.so.1
> > passwd  auth required           pam_ldap.so.1
> > #
> > # cron service (explicit because of non-usage of pam_roles.so.1)
> > #
> > cron    account required        pam_unix_account.so.1
> > #
> > # Default definition for Account management
> > # Used when service name is not explicitly mentioned for account management
> > #
> > other   account requisite       pam_roles.so.1
> > other   account required        pam_unix_account.so.1
> > #
> >
> >
> > --- George Holbert <gholbert at broadcom.com> wrote:
> >   
> >> Susan,
> >>
> >> What does your PAM password stack look like on the Solaris 10 client?
> >> -- George
> >>
> >> Susan wrote:
> >>     
> >>> Well, I've gotten authentication working for solaris 10 & FDS.  (Thank you, everybody)
> >>>
> >>> As root, I can change any user's password and that works.  As a regular user, however, no
> >>>       
> >> luck:
> >>     
> >>> -bash-3.00$ passwd
> >>> passwd: Changing password for test
> >>> passwd: Sorry, wrong passwd
> >>> Permission denied
> >>>
> >>> -bash-3.00$ passwd -r ldap
> >>> passwd: Changing password for test
> >>> passwd: Sorry, wrong passwd
> >>> Permission denied
> >>> -bash-3.00$ 
> >>>
> >>> I've this aci:
> >>>
> >>> (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone
> >>> ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
> >>> ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage
> >>> ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber
> >>> ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate
> >>> ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow
> >>>       
> >> (write)
> >>     
> >>> userdn="ldap:///self";)
> >>>
> >>> Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux,
> >>>       
> >> non-root
> >>     
> >>> users can change their passwords just fine!
> >>>
> >>> I've also two of these ACIs which I got from Gary Tay's site:
> >>>
> >>> (target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl
> >>> LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn =
> >>> "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";)
> >>>
> >>> (targetattr =
> >>>
> >>>       
> >
>
"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version
> >   
> >>> 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)
> >>>
> >>> They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything.
> >>>
> >>> Nothing in server/client logs either...
> >>>
> >>> Any ideas?
> >>>
> >>> __________________________________________________
> >>> Do You Yahoo!?
> >>> Tired of spam?  Yahoo! Mail has the best spam protection around 
> >>> http://mail.yahoo.com 
> >>>
> >>> --
> >>> Fedora-directory-users mailing list
> >>> Fedora-directory-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>
> >>>   
> >>>       
> >> --
> >> Fedora-directory-users mailing list
> >> Fedora-directory-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>
> >>     
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around 
> > http://mail.yahoo.com 
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >   
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the Fedora-directory-users mailing list