[Fedora-directory-users] Account expiration on Solaris 2.8 doesnotwork.
Tay, Gary
Gary_Tay at platts.com
Sat Nov 19 02:43:57 UTC 2005
I believe the ACL and another one, see related post, are added by SUN DS5.2 "idsconfig" command (iPlanet Directory Server Config), since FDS7.1 does not provide this command, these two ACLs do not exist, you could simply add them in at the "dc=example,dc=com" (defaultSearchBase) level, using copy and paste and manual editing mode.
See related post:
https://www.redhat.com/archives/fedora-directory-users/2005-July/msg00133.html
I have seen Account Management features like account lockout, account pw reset leading to user forced pw change, and account expiration working on Solaris Native LDAP Client libraries, if you use OpenLDAP+PADL Client libraries, I do not what will be in for you, most likely it won't work.
I highly recommend the use of Native Client libs, or else when SUN changes something your hard worked craft may not be working anymore.
Gary
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com on behalf of Vsevolod (Simon) Ilyushchenko
Sent: Sat 11/19/2005 2:49 AM
To: General discussion list for the Fedora Directory server project.
Cc:
Subject: Re: [Fedora-directory-users] Account expiration on Solaris 2.8 doesnotwork.
Gary,
You totally rule! Thanks! I'll try patching next week.
BTW - I'm not using native Solaris client, I have installed the Openldap
client libraries.
How do I change the ACL below? If I select "access permissions" menu
item on the dc=example,dc=com, I get a window with the following ACls
defined:
Enable anonymous access
Enable self write for common attributes
Configuration Administrator
Configuration Administrator Group
Directory Administrator Group
SIE Group
I can also add new ACLs, but I'm not sure how to find the one you are
referring to.
Thanks,
Simon
> 1) Did you change this ACL? this is a workaround to make pam_ldap
work with account management.
>
> In FDS, open Directory Server, select defaultSearchBase, i.e.
dc=example,dc=com and edit one of the listed ACIs, which is usually
named “LDAP_Naming_Services_proxy_password_read”:
>
> Change it.
>
> From:
> (target="ldap:///dc=example,dc=com")(targetattr="userPa
ssword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read;
allow (compare,read,search) userdn =
"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com"
;)<http://swforum.sun.com/jive/images/emoticons/wink.gif>
>
> To:
> (target="ldap:///dc=example,dc=com")(targetattr="us
erPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read;
allow (compare,search) userdn =
ldap:///cn=proxyagent,ou=profile,dc=example,dc=com
;)<http://swforum.sun.com/jive/images/emoticons/wink.gif>
>
>
> 2) After creating user entry, did you add "posixAccount" as well as
"shadowAccount" to them in admin. console? and enter values for
uidNumber and gidNumber posixAccount attributes.
>
> 3) Make VERY sure that your user entry contains VALID homeDirectory
path and loginShell.
>
> 4) If netgroup compat mode is used on Solaris8 Native LDAP Client,
you got to blank out 2nd and 3rd fields of all + at netgroupX lines, eg:
>
> + at netgroup1 <mailto:+ at netgroup1> ::::::::
> + at netgroup2 <mailto:+ at netgroup2> ::::::::
>
> 5) Make sure LDAP domain name in /etc/defautdomain is defined at
Solaris8 LDAP Client, and a nisDomainObject "example.com" exists at the
root entry of the LDAP DIT.
>
> # echo "example.com" >/etc/defaultdomain
> # domainname `cat /etc/defaultdomain`
>
> 6) Check that passwordStorageScheme in cn=config is "crypt"
>
> Gary
>
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com on behalf of
Vsevolod (Simon) Ilyushchenko
> Sent: Sat 11/19/2005 1:26 AM
> To: General discussion list for the Fedora Directory server project.
> Cc:
> Subject: [Fedora-directory-users] Account expiration on Solaris 2.8
does notwork.
>
>
>
> Hi,
>
> I have successfully configured a Solaris 2.8 box to use FDS as the
> authentication server. However, one detail eludes me.
>
> I'd like to be able to inactivate accounts. This feature works fine with
> Linux clients. With Solaris, I can get either LDAP inactivation or local
> accounts work. :(
>
> If I have this in pam.conf, then the LDAP accounts are locked out
> correctly, but local accounts don't work at all!
>
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1 server_policy
> other account required pam_ldap.so
>
> If I run ssh -d -d -d to a local account, it tells me:
> debug3: PAM: do_pam_account pam_acct_mgmt = 13 (No account present
for user)
>
> On the other hand, if I have this in pam.conf (and that's what Gary
> Tay's guide recommends), than local accounts work fine, but I have a
> locked LDAP account that accepts ANY password:
>
> other account requisite pam_roles.so.1
> other account binding pam_unix_account.so.1 server_policy
> other account required pam_ldap.so
>
> Is there a particular patch set, perhaps, that would solve this?
>
> Thanks,
> Simon
> --
>
> Simon (Vsevolod ILyushchenko) simonf at cshl.edu
> http://www.simonf.com
>
> "Think like a man of action, act like a man of thought."
>
> Henri Bergson
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Simon (Vsevolod ILyushchenko) simonf at cshl.edu
http://www.simonf.com
"Think like a man of action, act like a man of thought."
Henri Bergson
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 13122 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051119/a3b0631e/attachment.bin>
More information about the Fedora-directory-users
mailing list