In our environment we've had success with Netware 6.0.2 and RedHat 8.0 using TLS, LDAP and no local user accounts on the linux workstations. From the looks of your config you may want to try pam_password md5 rather than crypt. We've published a document that may be helpful to you at: http://www.novell.com/coolsolutions/nds/features/a_linux_auth_ldap_edir.html. We also found that using the Account Mgmt. 2.1 snapins to ConsoleOne was an easy way to edit attributes on the posixAccount and posixGroup schema however, there other ways to do this a la LDIF. Another individual found another solution/addition by mapping LDAP classes to NDS classes at: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3f66de42.8929781%40support-forums.novell.com&rnum=7 I like the work you've done with PAM mount module, we'll have to try that in house. Jeffrey Brown UNIX/Linux SA Jefferson County, Colorado USA >>> yann.forget@xxxxxxxxxx 3/12/2004 6:24:21 AM >>> Hi, I have Linux stations using Novell NDS / eDirectory for authentification. Works fine so far if I have local accounts in /etc/passwd (password desactivited in /etc/shadow). What is the necessary config for logging *without* a local account in /etc/passwd? I also use pam_mount and it works fine. /etc/nsswitch.conf passwd: ldap files shadow: ldap files group: ldap files ============================ /etc/security/pam_mount.conf debug 1 mkmountpoint 1 lsof /usr/bin/lsof options_require nosuid,nodev luserconf .pam_mount.conf smbmount /bin/mount -t smbfs ncpmount /bin/mount -t ncpfs umount /bin/umount lclmount /bin/mount -p0 volume * ncp novell_name_of_server usr/cti/& /home/& ipserver=unix_name_of_server,user=&.novell_context,uid=&,gid=users - - ============================ /etc/ldap.conf host mialplacidus base ou=cti,ou=aca82,ou=d,o=nhp ldap_version 3 port 636 pam_password crypt sslpath /etc/ssl/certs/cert7.db nss_base_passwd <context> nss_base_shadow <context> nss_base_group <context> ssl on tls_cacertdir /etc/ssl/certs =========================== /etc/security/pam_unix2.conf auth: use_ldap nullok account: use_ldap password: use_ldap nullok session: none =========================== /etc/pam.d/login #%PAM-1.0 auth requisite pam_unix2.so nullok auth required pam_securetty.so auth required pam_nologin.so #auth required pam_homecheck.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so none # debug or trace session required pam_limits.so session required pam_mount.so use_first_pass auth required pam_mount.so use_first_pass =========================== Thanks, Yann -- OSS consultant Centre des Technologies de l'Information Etat de Genève 82 rue des Acacias 1227 Carouge (GE) Tél. +41-22-325 11 62 _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
