[Fedora-directory-users] Solaris9 client problems / questions

Tay, Gary Gary_Tay at platts.com
Tue May 16 16:52:13 UTC 2006 

# cd config/schema
# grep -i passwordexpirationtime *
00core.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.91 NAME 'passwordExpirationTime' DESC 'Sun ONE defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE directoryOperation X-DS-USE 'internal' X-ORIGIN 'Sun ONE Directory Server' )
00core.ldif:objectClasses: ( 2.16.840.1.113730.3.2.12 NAME 'passwordObject' DESC 'Sun ONE defined password policy objectclass' SUP top AUXILIARY MAY ( passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $ retryCountResetTime $ accountUnlockTime $ passwordHistory $ passwordAllowChangeTime ) X-DS-USE 'internal' X-ORIGIN 'Sun ONE Directory Server' )
#
 
I am not sure if FDS 1.0.2 provides the "passwordexpirationtime" attribute, just like SUN DS5.2, if so, pls read:
 
http://docs.sun.com/app/docs/doc/817-0962/6mgnp4m9s?a=view
 
...

Configuring the Directory Server to Enable Password Management


See the “User Account Management” chapter in the Sun ONE Directory Server 5.1 Administrator's Guide for how to use the Directory Server Console or ldapmodify to configure the password management policy for the LDAP directory. In order for pam_ldap to work properly, the password and account lockout policy must be properly configured on the server. 

Passwords for proxy users should never be allowed to expire. If proxy passwords expire, clients using the proxy credential level cannot retrieve naming service information from the server. To ensure that proxy users have passwords that do not expire, modify the proxy accounts with the following script.



# ldapmodify -h ldapserver —D administrator DN \
-w  administrator password <<EOF 
dn: proxy user DN
DNchangetype: modify
replace: passwordexpirationtime
passwordexpirationtime: 20380119031407Z
EOF
  _____  

Note – 

pam_ldap password management relies on Sun ONE Directory Server 5.1 to maintain and provide password aging and account expiration information for users. The directory server does not interpret the corresponding data from shadow entries to validate user accounts. pam_unix, however, examines the shadow data to determine if accounts are locked or if passwords are aged. Since the shadow data is not kept up to date by the LDAP naming services or the directory server, pam_unix should not grant access based on the shadow data. The shadow data is retrieved using the proxy identity. Therefore, do not allow proxy users to have read access to the userPassword Attribute. Denying proxy users read access to userPassword prevents pam_unix from making an invalid account validation.

...
 
The above may not be applicable if FDS 1.0.2. Password Policy features are NOT identical to SUN DS5.2.
 
Gary
 

	-----Original Message----- 
	From: fedora-directory-users-bounces at redhat.com on behalf of Jo De Troy 
	Sent: Tue 5/16/2006 11:19 PM 
	To: fedora-directory-users at redhat.com 
	Cc: 
	Subject: [Fedora-directory-users] Solaris9 client problems / questions
	
	
	Hello,
	
	I have setup a Solaris9 server as LDAP client to FedoraDS 1.0.2 on CentOS4. (I have followed the Solaris client howto and the documentation on http://web.singnet.com.sg/~garyttt/ )
	Every few minutes the proxyagent, that is used to connect from Solaris to the LDAP server, gets locked out, I have a global pwdpolicy that enables lockouts after 3 login failures. After this account gets locked out I cannot connect any more [ldaplist returns Object not found (Session error no available conn.) ] If I delete the accountunlocktime attribute of the proxyagent I'm back in business. Is there a way to stop the locking of this account? I've tried to setup a special pwdpolicy for the proxyagent, without success. 
	Secondly I don't see how I can get TLS working, in the Solaris client howto document it's written to start up netscape and connect to http://ldapserver:636 to somehow get the certifcates for the Solaris client. I must be doing something wrong, since this just doesn't work. Is there another way of getting the required certificates on the Solaris client?  I guess I only need the CA certificates on the Solaris client or not? 
	
	Best Regards,
	Jo
	

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 7942 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060517/a5ccb97e/attachment.bin>

More information about the 389-users mailing list