[Freeipa-users] Need help with Solaris Host Based access control
Christian Horn
chorn at fluxcoil.net
Fri Nov 7 08:13:30 UTC 2008
Mornings,
On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote:
>
> The instructions are based on the ability of the pam_access PAM module
> to check the access control rules specified in the access.conf.
> The group information can be retrieved from the IPA server via nss_ldap.
>
> We tried to find similar functionality on other OS's. We spotted PAM
> modules on HP-UX and AIX that are responsible for the similar
> authorization checks.
>
> But we are stuck with Solaris. All our investigations about similar
> functionality in Solaris bear no fruits. We saw pam_roles and
> pam_unix_account on Solaris but they do not seem to accomplish what we
> are trying to do.
>
> We are looking for some help and advice from Solaris experts on this
> functionality.
Checked with solaris-guys, this is in use for pure ldap-authentication/
authorization.
Apparently just after hooking up a solaris-box to an ldap no user
is allowed to login.
The permissions to login are handled by this:
a) entries in /etc/passwd, containing names of NIS-netgroups
whose members are allowed to log in, i.e.
+ at netgroup1::::::
b) entries in /etc/shadow, containing names of NIS-netgroups
whose members are allowed to log in, i.e.
+ at netgroup1::::::::
(thats 8 colons vs. 6 on the /etcx/passwd-entries)
c) entries in /etc/nsswitch.conf for this to work:
passwd: compat
passwd_compat: ldap [NOTFOUND=return]
I dont use this myself on Solaris-boxen but should be enough to see
the Solaris-way to handle those login-authorizations.
Christian
More information about the Freeipa-users
mailing list