[Fedora-directory-users] allowing users to change their own passwords (solaris 10)
Susan
logastellus at yahoo.com
Wed Feb 22 22:28:44 UTC 2006
I got it from docs.sun.com:
-bash-3.00# cat /etc/pam.conf
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
--- George Holbert <gholbert at broadcom.com> wrote:
> Susan,
>
> What does your PAM password stack look like on the Solaris 10 client?
> -- George
>
> Susan wrote:
> > Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody)
> >
> > As root, I can change any user's password and that works. As a regular user, however, no
> luck:
> >
> > -bash-3.00$ passwd
> > passwd: Changing password for test
> > passwd: Sorry, wrong passwd
> > Permission denied
> >
> > -bash-3.00$ passwd -r ldap
> > passwd: Changing password for test
> > passwd: Sorry, wrong passwd
> > Permission denied
> > -bash-3.00$
> >
> > I've this aci:
> >
> > (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone
> > ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
> > ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage
> > ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber
> > ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate
> > ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow
> (write)
> > userdn="ldap:///self";)
> >
> > Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux,
> non-root
> > users can change their passwords just fine!
> >
> > I've also two of these ACIs which I got from Gary Tay's site:
> >
> > (target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl
> > LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn =
> > "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";)
> >
> > (targetattr =
> >
>
"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version
> > 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)
> >
> > They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything.
> >
> > Nothing in server/client logs either...
> >
> > Any ideas?
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Fedora-directory-users
mailing list