Well, this makes sense, but I'm using the Sun-recommended pam_ldap
configuration, straight from their documentation for Solaris 10. I don't
have a machine in front of me, but if memory serves, their configuration
includes pam_unix_auth, pam_unix_cred as well as pam_ldap. I've read about
the changes with server_policy and the like, but even those example (again,
iirc) use pam_unix.
If you have a working pam.conf for solaris 10 that doesn't exhibit this
behavior, I'd be happy not so much to see it, but to know what doc you
referenced to develop it!
On 8/30/05, George Holbert <gholbert(a)broadcom.com> wrote:
It sounds like you're using the pam_unix module for authentication on
the Solaris 10 client instead of the pam_ldap module. The bind as the
proxy user is to retrieve the crypted password hash of the account,
which is then compared with the password given at login.
If you want LDAP account deactivation to affect logins to Solaris
clients, those clients must use pam_ldap to authenticate against the
LDAP server, instead of pam_unix.
Note also that deactivating a LDAP account will not prevent
password-less rsh login with that account.
Brian K. Jones wrote:
>Anyone experiencing a similar issue should see this Sun forum thread
>On Tuesday 30 August 2005 4:42 pm, Brian K. Jones wrote:
>>Well, I'm running nscd, but before I go shutting that off, I should
>>this new info:
>>I found that the solaris machine *does* try to bind as the user, and the
>>server returns err=53, just like it does to the linux clients! However,
>>*then* does a search for the shadowaccount objectclass and the inactive
>>user's uid, and memberUID=<inactive user>, and in the end, it lets the
>>Baffling. And scary that a failed bind request can potentially lead to
>>users getting logged in anyway.
>>On Tuesday 30 August 2005 4:24 pm, aly.dharshi(a)telus.net wrote:
>>> Is the nscd caching the query ? I guess try restarting nscd and
>>>see if that fixes your problem, if you aren't running nscd this is a
>>>On Tue, 30 Aug 2005, Brian K. Jones wrote:
>>>>I'm running FDS (binary rpm) on rhel4. I have rhel4 and solaris 10
>>>>If I inactivate a user account in the FDS admin GUI, then try to log
>>>>via ssh as that inactivated user on any ol' random Linux client, the
>>>>BIND operation fails with err=53 (unwilling to perform). This, I
>>>>think, is the expected behaviour.
>>>>Solaris 10, on the other hand, lets the user in (again, ssh). The only
>>>>BIND I can correllate in the logs come from the solaris proxy user.
>>>>Then a search is done for "shadowaccount=<username>", and
>>>>is done for the group memberships of that user (presumably I'm
>>>>in when this is done). There's never a BIND operation as the
>>>>user at all!
>>>>Can someone explain what's happening?
>>>>Fedora-directory-users mailing list
>>Fedora-directory-users mailing list
>Fedora-directory-users mailing list
Fedora-directory-users mailing list