[389-users] Directory Server OID control for passwordless logins of Solaris Clients

Charles Gilbert gilbertc777 at gmail.com
Tue Mar 2 12:58:36 UTC 2010 

This is from the Sun website about their pam_ldap module:

Configuring PAM to Use LDAP server_policy

To configure PAM to use LDAP server_policy, follow the sample in Example
pam_conf file for pam_ldap Configured for Account
Management<http://docs.sun.com/app/docs/doc/816-4556/schemas-250?a=view>.
Add the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf file.
In addition, if any PAM module in the sample pam.conf file specifies the
binding flag and the server_policy option, use the same flag and option for
the corresponding module in the client's /etc/pam.conf file. Also, add the
server_policy option to the line that contains the service module
pam_authtok_store.so.1.
------------------------------
*Note – *

Previously, if you enabled pam_ldap account management, all users needed to
provide a login password for authentication any time they logged in to the
system. Therefore, nonpassword-based logins using tools such as rsh, rlogin,
or ssh would fail.

Now, however, pam_ldap(5)<http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view>,
when used with Sun Java System Directory Servers DS5.2p4 and newer releases,
enables users to log in with rsh, rlogin, rcp and ssh without giving a
password.

pam_ldap(5) <http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view> is
now modified to perform account management and retrieve the account status
of users without authenticating to Directory Server as the user logging in.
The new control to this on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8,
which is enabled by default.

To modify this control for other than default, add Access Control
Instructions (ACI) on Directory Server:

dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid:1.3.6.1.4.1.42.2.27.9.5.8
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable";
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config


I wanted to know if there is a known working version of this for ssh
keys with account management for 389.
Specifically, is this OID control available for 389?

Thanks!
Chuck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100302/abcba96f/attachment.html>

More information about the 389-users mailing list