Re: Account expiration on Solaris 2.8 does notwork.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Gary,

You totally rule! Thanks! I'll try patching next week.
BTW - I'm not using native Solaris client, I have installed the Openldap client libraries.
How do I change the ACL below? If I select "access permissions" menu item on the dc=example,dc=com, I get a window with the following ACls defined: 

Enable anonymous access
Enable self write for common attributes
Configuration Administrator
Configuration Administrator Group
Directory Administrator Group
SIE Group
I can also add new ACLs, but I'm not sure how to find the one you are referring to. 

Thanks,
Simon
> 1) Did you change this ACL? this is a workaround to make pam_ldap work with account management. 
>
> In FDS, open Directory Server, select defaultSearchBase, i.e. dc=example,dc=com and edit one of the listed ACIs, which is usually named “LDAP_Naming_Services_proxy_password_read”: 
>
> Change it.
>
> From:
> (target="ldap:///dc=example,dc=com";)(targetattr="userPa ssword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,read,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com"; ;)<http://swforum.sun.com/jive/images/emoticons/wink.gif> 
>
> To:
> (target="ldap:///dc=example,dc=com";)(targetattr="us erPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = ldap:///cn=proxyagent,ou=profile,dc=example,dc=com ;)<http://swforum.sun.com/jive/images/emoticons/wink.gif> 
>
>
> 2) After creating user entry, did you add "posixAccount" as well as "shadowAccount" to them in admin. console? and enter values for uidNumber and gidNumber posixAccount attributes. 
>
> 3) Make VERY sure that your user entry contains VALID homeDirectory path and loginShell. 
>
> 4) If netgroup compat mode is used on Solaris8 Native LDAP Client, you got to blank out 2nd and 3rd fields of all +@netgroupX lines, eg: 
>
> +@netgroup1 <mailto:+@netgroup1> ::::::::
> +@netgroup2 <mailto:+@netgroup2> ::::::::
>
> 5) Make sure LDAP domain name in /etc/defautdomain is defined at Solaris8 LDAP Client, and a nisDomainObject "example.com" exists at the root entry of the LDAP DIT. 
>
> # echo "example.com" >/etc/defaultdomain
> # domainname `cat /etc/defaultdomain`
>
> 6) Check that passwordStorageScheme in cn=config is "crypt"
>
> Gary
>
> 	-----Original Message-----
> From: fedora-directory-users-bounces@xxxxxxxxxx on behalf of Vsevolod (Simon) Ilyushchenko 
> 	Sent: Sat 11/19/2005 1:26 AM
> 	To: General discussion list for the Fedora Directory server project.
> 	Cc:
> Subject: Account expiration on Solaris 2.8 does notwork. 
> 	
> 	
>
> 	Hi,
> 	
> 	I have successfully configured a Solaris 2.8 box to use FDS as the
> 	authentication server. However, one detail eludes me.
> 	
> 	I'd like to be able to inactivate accounts. This feature works fine with
> 	Linux clients. With Solaris, I can get either LDAP inactivation or local
> 	accounts work. :(
> 	
> 	If I have this in pam.conf, then the LDAP accounts are locked out
> 	correctly, but local accounts don't work at all!
> 	
> 	other   account requisite pam_roles.so.1
> 	other   account required  pam_unix_account.so.1 server_policy
> 	other   account required  pam_ldap.so
> 	
> 	If I run ssh -d -d -d to a local account, it tells me:
> debug3: PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user) 
> 	
> 	On the other hand, if I have this in pam.conf (and that's what Gary
> 	Tay's guide recommends), than local accounts work fine, but I have a
> 	locked LDAP account that accepts ANY password:
> 	
> 	other   account requisite pam_roles.so.1
> 	other   account binding  pam_unix_account.so.1 server_policy
> 	other   account required  pam_ldap.so
> 	
> 	Is there a particular patch set, perhaps, that would solve this?
> 	
> 	Thanks,
> 	Simon
> 	--
> 	
> 	Simon (Vsevolod ILyushchenko)   simonf@xxxxxxxx
> 	                                http://www.simonf.com
> 	
> 	"Think like a man of action, act like a man of thought."
> 	
> 	                         Henri Bergson
> 	
> 	--
> 	Fedora-directory-users mailing list
> 	Fedora-directory-users@xxxxxxxxxx
> 	https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 	
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

--

Simon (Vsevolod ILyushchenko)   simonf@xxxxxxxx
				http://www.simonf.com

"Think like a man of action, act like a man of thought."

		         Henri Bergson

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux