Directory Server OID control for passwordless logins of Solaris Clients

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is from the Sun website about their pam_ldap module:

Configuring PAM to Use LDAP server_policy

To configure PAM to use LDAP server_policy, follow the sample in Example
pam_conf file for pam_ldap Configured for Account
Management<http://docs.sun.com/app/docs/doc/816-4556/schemas-250?a=view>.
Add the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf file.
In addition, if any PAM module in the sample pam.conf file specifies the
binding flag and the server_policy option, use the same flag and option for
the corresponding module in the client's /etc/pam.conf file. Also, add the
server_policy option to the line that contains the service module
pam_authtok_store.so.1.
------------------------------
*Note ? *

Previously, if you enabled pam_ldap account management, all users needed to
provide a login password for authentication any time they logged in to the
system. Therefore, nonpassword-based logins using tools such as rsh, rlogin,
or ssh would fail.

Now, however, pam_ldap(5)<http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view>,
when used with Sun Java System Directory Servers DS5.2p4 and newer releases,
enables users to log in with rsh, rlogin, rcp and ssh without giving a
password.

pam_ldap(5) <http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view> is
now modified to perform account management and retrieve the account status
of users without authenticating to Directory Server as the user logging in.
The new control to this on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8,
which is enabled by default.

To modify this control for other than default, add Access Control
Instructions (ACI) on Directory Server:

dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid:1.3.6.1.4.1.42.2.27.9.5.8
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable";
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config";);)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config


I wanted to know if there is a known working version of this for ssh
keys with account management for 389.
Specifically, is this OID control available for 389?

Thanks!
Chuck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100302/abcba96f/attachment.html
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux