[Freeipa-devel] Re: [Freeipa-users] Need help with Solaris Host Based access control

[Dmitri Pal]

Thank you Christian!
I will dig more into it.

Dmitri

Christian Horn wrote:
> Mornings,
>
> On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote:
>   
>> The instructions are based on the ability of the pam_access PAM module 
>> to check the access control rules specified in the access.conf.
>> The group information can be retrieved from the IPA server via nss_ldap.
>>
>> We tried to find similar functionality on other OS's. We spotted PAM 
>> modules on HP-UX and AIX that are responsible for the similar 
>> authorization checks.
>>
>> But we are stuck with Solaris. All our investigations about similar 
>> functionality in Solaris bear no fruits.  We saw pam_roles and 
>> pam_unix_account on Solaris but they do not seem to accomplish what we 
>> are trying to do.
>>
>> We are looking for some help and advice from Solaris experts on this 
>> functionality.
>>     
>
> Checked with solaris-guys, this is in use for pure ldap-authentication/
> authorization.
> Apparently just after hooking up a solaris-box to an ldap no user
> is allowed to login.
>
> The permissions to login are handled by this:
>
> a) entries in /etc/passwd, containing names of NIS-netgroups
>    whose members are allowed to log in, i.e.
>
> 	+ at netgroup1::::::
>
> b) entries in /etc/shadow, containing names of NIS-netgroups
>    whose members are allowed to log in, i.e.
>
> 	+ at netgroup1::::::::
>    (thats 8 colons vs. 6 on the /etcx/passwd-entries)
>
> c) entries in /etc/nsswitch.conf for this to work:
>
> 	passwd:     compat
> 	passwd_compat: ldap [NOTFOUND=return]
>
>
> I dont use this myself on Solaris-boxen but should be enough to see
> the Solaris-way to handle those login-authorizations.
>
>
> Christian
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>