Charles Gilbert wrote: > > > This is from the Sun website about their pam_ldap module: > > > > Configuring PAM to Use LDAP server_policy > > To configure PAM to use LDAP server_policy, follow the sample in > Example pam_conf file for pam_ldap Configured for Account Management > <http://docs.sun.com/app/docs/doc/816-4556/schemas-250?a=view>. Add > the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf > file. In addition, if any PAM module in the sample pam.conf file > specifies the binding flag and the server_policy option, use the same > flag and option for the corresponding module in the client's > /etc/pam.conf file. Also, add the server_policy option to the line > that contains the service module pam_authtok_store.so.1. > > ------------------------------------------------------------------------ > *Note ? * > > Previously, if you enabled pam_ldap account management, all users > needed to provide a login password for authentication any time they > logged in to the system. Therefore, nonpassword-based logins using > tools such as rsh, rlogin, or ssh would fail. > > Now, however, pam_ldap(5) > <http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view>, when > used with Sun Java System Directory Servers DS5.2p4 and newer > releases, enables users to log in with rsh, rlogin, rcp and ssh > without giving a password. > > pam_ldap(5) > <http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view> is now > modified to perform account management and retrieve the account status > of users without authenticating to Directory Server as the user > logging in. The new control to this on Directory Server is > 1.3.6.1.4.1.42.2.27.9.5.8, which is enabled by default. > > To modify this control for other than default, add Access Control > Instructions (ACI) on Directory Server: > > > dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config > objectClass: top > objectClass: directoryServerFeature > oid:1.3.6.1.4.1.42.2.27.9.5.8 > cn:Password Policy Account Usable Request Control > aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; > > allow (read, search, compare, proxy) > (groupdn = "ldap:///cn=Administrators,cn=config";);) > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=server,cn=plugins,cn=config > > > I wanted to know if there is a known working version of this for ssh keys with account management for 389. > I'm not sure. Other posters have provided information about using ssh keys with 389. > Specifically, is this OID control available for 389? > No, this control is not provided by 389. Please file a bug/RFE for this feature. https://bugzilla.redhat.com/enter_bug.cgi?product=389 > Thanks! > Chuck > > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users
