[389-users] PosixGroup

dan kakon kakon.dan at gmail.com
Wed Nov 25 15:51:59 UTC 2009


I add a shadowaccount, i doing this command getent passwd (ok this
fonction), getent group (ok this fonction) and getent shadow(this fonction)

ldapsearch -h localhost "uid=dkakon"
version: 1
dn: uid=dkakon,ou=People,dc=fr,dc=publicisgroupe,dc=net
givenName: dan
sn: kakon
telephoneNumber: 0650621292
loginShell: /bin/bash
gidNumber: 700
uidNumber: 700
mail: kakon.dan at gmail.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowaccount
objectClass: passwordpolicy
objectClass: passwordobject
uid: dkakon
gecos: Dan Kakon
cn: dan kakon
homeDirectory: /home/dkakon
shadowMax: 99999
shadowMin: 00000
shadowLastChange: 14573
shadowWarning: 7
userPassword: {SSHA}3atvCZ+60iYb0qFtyzWg2p+HZFbpUgqCa4W0Xw==
passwordStorageScheme: MD5


I don't a scheme of userPassword {SSHA} is by default, i add many attributes
shadowaccount, passwordpolicy

I add a value userpassword on my group dkakon, i went to authentie my user
dkakon. Now this work.

file /etc/ldap.conf (client rhel 5.4):

host rh5std.fr.publicisgroupe.net
base dc=fr,dc=publicisgroupe,dc=net
uri ldap://rh5std.fr.publicisgroupe.net
ldap_version 3
port 389
scope one
timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
pam_password ssha
nss_base_passwd ou=People,dc=fr,dc=publicisgroupe,dc=net?sub
nss_base_shadow ou=People,dc=fr,dc=publicisgroupe,dc=net?sub
nss_base_group  ou=Groups,dc=fr,dc=publicisgroupe,dc=net?sub



2009/11/25 Andrew C. Dingman <andrew at dingman.org>

> On Wed, 2009-11-25 at 11:07 +0100, dan kakon wrote:
> > I not see a password in a shadow file, id user.
> Nor should you. Neither /etc/passwd nor /etc/shadow should contain any
> reference to your LDAP users. If things are set up right, though, you
> should be able to view them as NSS sees them with 'getent passwd' and
> 'getent shadow'. Depending on how you chose to set things up, there may
> be no shadow entries at all. Arguably, you don't need the shadow
> information for LDAP users, if password expiration and account vailidity
> are all being enforced at the directory server level.
> --
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Dan Kakon
126, Avenue de Paris
94300 Vincennes
Tel : 0178689468
Port : 0650621292
email :dankakon at dksn.net
         kakon.dan at gmail.com
Blog DKSN: www.dksn.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091125/4a02f0bb/attachment.htm>

More information about the Fedora-directory-users mailing list