problem with Netscape LDAP server and Solaris 8

From: Preston, Lance (lance.preston@wcg.com)
Date: Thu Apr 04 2002 - 16:29:01 EST

• Next message: Kamalan Govender: "RE: SUMMARY Restoring Boot Disk after hard drive crash (Update)"
• Previous message: Gary Murphy: "Odd reboot errors"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am trying to set up a Solaris 8 client using Netscape Directory Server
v4.13. I am using pam_ldap (v.140) and nss_ldap (v.184) from PADL Software,
since the native pam_ldap module from SUN doesn't support checking the
users's host attribute field. I am running into an issue with my
/etc/pam.conf setup where I create a bad 'catch-22' situation that I can't
seem to resolve. If I use the following settings in pam.conf (condensed):

login account required /usr/lib/security/$ISA/pam_unix.so.1
login account required /usr/lib/security/$ISA/pam_ldap.so.2
other account required /usr/lib/security/$ISA/pam_unix.so.1
other account required /usr/lib/security/$ISA/pam_ldap.so.2

then both pam_unix and pam_ldap are 'required', and the user must be defined
both locally (/etc/passwd) and in the LDAP server in order to login. In
addition, if the LDAP server becomes unavailable (network outage) then no
one can login (including root), since both are 'required'. However, if I
change pam.conf and use the following settings instead:

login account sufficient /usr/lib/security/$ISA/pam_unix.so.1
login account required /usr/lib/security/$ISA/pam_ldap.so.2
other account sufficient /usr/lib/security/$ISA/pam_unix.so.1
other account required /usr/lib/security/$ISA/pam_ldap.so.2

now if the user is defined locally, pam_unix is 'sufficient' and the user
can login (without an account being defined in the LDAP server), even if the
LDAP server is unavailable. But now that pam_unix is something less than
required (sufficient), the pam_ldap module no longer enforces the host
attribute check, and any user defined in LDAP (non-local users) can login to
any server that uses LDAP to authenticate it's users (which is undesirable).

MY QUESTION: Why does pam_unix have any impact on how pam_ldap enforces
checking of the host attribute field, and how do I resolve this situation?
We were using NIS as an enterprise-wide solution, but ripped it out recently
under management orders to use a new enterprise tool called Control-SA,
which turns out to not work at all (ever hear of testing?) Now ALL our users
are defined locally and it is a management nightmare, thus the urgent push
to get LDAP working - SOON.

Does anyone have any experience setting up Solaris 8 clients to authentice
users against the Netscape/iPlanet directory server, especially using the
pam_ldap module from PADL? If so, please help me out and tell me how you did
it.

Thanks!
Lance Preston
lance.preston@wcg.com
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Kamalan Govender: "RE: SUMMARY Restoring Boot Disk after hard drive crash (Update)"
• Previous message: Gary Murphy: "Odd reboot errors"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:24:10 EDT