[389-users] Directory Server OID control for passwordless logins of Solaris Clients
Rich Megginson
rmeggins at redhat.com
Tue Mar 2 15:27:36 UTC 2010
Charles Gilbert wrote:
>
>
> This is from the Sun website about their pam_ldap module:
>
>
>
> Configuring PAM to Use LDAP server_policy
>
> To configure PAM to use LDAP server_policy, follow the sample in
> Example pam_conf file for pam_ldap Configured for Account Management
> <http://docs.sun.com/app/docs/doc/816-4556/schemas-250?a=view>. Add
> the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf
> file. In addition, if any PAM module in the sample pam.conf file
> specifies the binding flag and the server_policy option, use the same
> flag and option for the corresponding module in the client's
> /etc/pam.conf file. Also, add the server_policy option to the line
> that contains the service module pam_authtok_store.so.1.
>
> ------------------------------------------------------------------------
> *Note – *
>
> Previously, if you enabled pam_ldap account management, all users
> needed to provide a login password for authentication any time they
> logged in to the system. Therefore, nonpassword-based logins using
> tools such as rsh, rlogin, or ssh would fail.
>
> Now, however, pam_ldap(5)
> <http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view>, when
> used with Sun Java System Directory Servers DS5.2p4 and newer
> releases, enables users to log in with rsh, rlogin, rcp and ssh
> without giving a password.
>
> pam_ldap(5)
> <http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view> is now
> modified to perform account management and retrieve the account status
> of users without authenticating to Directory Server as the user
> logging in. The new control to this on Directory Server is
> 1.3.6.1.4.1.42.2.27.9.5.8, which is enabled by default.
>
> To modify this control for other than default, add Access Control
> Instructions (ACI) on Directory Server:
>
>
> dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
> objectClass: top
> objectClass: directoryServerFeature
> oid:1.3.6.1.4.1.42.2.27.9.5.8
> cn:Password Policy Account Usable Request Control
> aci: (targetattr != "aci")(version 3.0; acl "Account Usable";
>
> allow (read, search, compare, proxy)
> (groupdn = "ldap:///cn=Administrators,cn=config");)
> creatorsName: cn=server,cn=plugins,cn=config
> modifiersName: cn=server,cn=plugins,cn=config
>
>
> I wanted to know if there is a known working version of this for ssh keys with account management for 389.
>
I'm not sure. Other posters have provided information about using ssh
keys with 389.
> Specifically, is this OID control available for 389?
>
No, this control is not provided by 389. Please file a bug/RFE for this
feature. https://bugzilla.redhat.com/enter_bug.cgi?product=389
> Thanks!
> Chuck
>
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list