[Fedora-directory-users] fds on solaris 9 with PAM
basile au siris
basile.mathieu at siris.sorbonne.fr
Wed Sep 21 08:38:30 UTC 2005
thanks a lot
all works fine , it was the objectclass shadowaccount which was not present
basile
Tay, Gary wrote:
>It is recommended that latest kernel and LDAP patch be applied to Solaris boxes.
>
>You may follow:
>
>http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm
>
>and
>
>http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenSSH%20with%20pam_ldap%20for%20Solaris9.htm
>
>You should add "shadowAccount" objectclass to the LDAP user entries if it is not already there, as there may be evidence in access log file that Solaris LDAP client is looking for these attributes "uid userPassword shadowFlag", i.e. it needs shadowAccount objectClass which provides shadowFlag.
>
>FDS may create ou=Groups which is based on groupOfUniqueNames, Solaris LDAP Client would probably use posixGroup/memberUid, so you should create an ou=group to contain all posixGroups.
>
>If you use OpenSSH, you should compile/build it "--with-pam" and have "UsePAM" (it may be called PAMAuthenticationViaKbdInt yes in older version of OpenSSH) in sshd_config file, SUN version of SSH should already have PAM support compiled in.
>
>Gary
>
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com on behalf of Basile Mathieu
> Sent: Tue 9/20/2005 3:03 AM
> To: fedora-directory-users at redhat.com
> Cc:
> Subject: [Fedora-directory-users] fds on solaris 9 with PAM
>
>
>
> hi
>
> i ve got FDS install on a Solaris 9 server and want use
> FDS as /etc/passwd and /etc/shadow files
> FDS works fine i can populate the directory ( and use all ldapcommand ) and
> id , getent , su ldaplist commands works fine
> here are my problems :
> login, ssh , telnet don t work with users in the directory
> here are logs of sshd
>
> sshd[1523]: [ID 800047 auth.error] error: PAM: No account present for user for
> bmathieu from gentoo1
>
> and for login
>
> login: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple
> bind failed - Invalid credentials
>
> a user can t change his passwd ( root can , and i can modify the password
> with ldapmodify binding as this user )
>
> i think that PAM don t work
> here is my /etc/pam.conf
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth required pam_dial_auth.so.1
> login auth binding pam_unix_auth.so.1 server_policy
> login auth required pam_ldap.so.1
>
> #sshd auth requisite pam_authtok_get.so.1
> #sshd auth required pam_dhkeys.so.1
> #sshd auth binding pam_unix_auth.so.1 server_policy
> #sshd auth required pam_ldap.so.1
> #sshd account required pam_unix_account.so.1
>
> sshd auth requisite pam_authtok_get.so.1
> sshd auth required pam_dhkeys.so.1
> sshd auth sufficient pam_unix_auth.so.1
> sshd auth required pam_ldap.so.1
> sshd account required pam_unix_account.so.1
>
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> #rlogin auth required pam_unix_cred.so.1
> rlogin auth binding pam_unix_auth.so.1 server_policy
> rlogin auth required pam_ldap.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> rsh auth sufficient pam_rhosts_auth.so.1
> #rsh auth required pam_unix_cred.so.1
> rsh auth binding pam_unix_auth.so.1 server_policy
> rsh auth required pam_ldap.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_dial_auth.so.1
> ppp auth binding pam_unix_auth.so.1 server_policy
> ppp auth required pam_ldap.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> #other auth required pam_unix_cred.so.1
> other auth binding pam_unix_auth.so.1 server_policy
> other auth required pam_ldap.so.1
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd auth binding pam_passwd_auth.so.1 server_policy
> passwd auth required pam_ldap.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other account requisite pam_roles.so.1
> other account binding pam_unix_account.so.1 server_policy
> other account required pam_ldap.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password required pam_authtok_store.so.1 server_policy
>
> thanks
>
>
> --------------------------------------------------------
> Ce message a été envoyé par le Webmail Sorbonne via IMP.
> http://courrier.sorbonne.fr/ http://mail.sorbonne.fr/
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
More information about the Fedora-directory-users
mailing list