From: Victor Engle (sunmanager@summerseas.com)
Date: Tue Oct 12 2004 - 13:16:36 EDT
I got responses from Lorraine Baran, Rob De Langhe and Jason Grove.
Lorraine and Jason had working configurations but unfortunately I was
unable to duplicate their success. Rob said that he didn't believe the
netgroups could be used in /etc/passwd anymore and suggested adding code
to /etc/profile to control logins.
In researching the problem further it seems that Sun introduced a bug
with the Solaris8 ldap client patch 108993-18 when the old pam_unix.so
was replaced by several smaller modules. Some of the bug reports on
sunsolve suggested that a work around would be to use the old pam
modules which still exist in /usr/lib/security but this also didn't work
for me. The problems I have seen are described on Sunsolve here:
http://sunsolve.sun.com/search/document.do?assetkey=1-1-5025128-1
http://sunsolve.sun.com/search/document.do?assetkey=1-1-5019501-1&searchclause=ldap%20nsswitch.conf%20compat
I did manage to use LDAP netgroups to limit logins on a system using an
unsupported pam module that a Sun security engineer had posted on
playground.sun.com here
http://playground.sun.com/~darrenm/pam_netgroup.c. I intend to use this
module as a work around until the compat mode problem is resolved.
<http://sunsolve.sun.com/search/document.do?assetkey=1-21-108993-33-1>
Victor Engle wrote:
> Hello List,
>
> I have a Sun Directory server v5.2 configured as a naming service for
> my Sun workstation. It currently provides account info,
> authentication, group info and auto_* map info. I have been trying to
> get netgroups to work because my goal is to use LDAP as a naming
> service for servers and I need to be able to allow only specific users
> access to the servers. For example on an oracle server I would want to
> restrict access to system and database admins by adding something
> like "+@sys_dba_admins" The sus_dba_admins would be an ldap netgroup
> containing nis triples or netgroups for the sys admins and dba's.
>
> I configured nsswitch.conf for compatibility mode. Here is the
> relavent part of my nsswitch.conf:
>
> passwd: files compat
> passwd_compat: ldap
> group: files compat
> group_compat: ldap
> netgroup: ldap
>
> Here is my ldap netgroup entry:
>
> cn=skylab,ou=netgroup,dc=domain_central,dc=local
> objectClass=nisNetgroup
> objectClass=top
> cn=skylab
> nisNetgroupTriple=(,vengle,)
> nisNetgroupTriple=(,fred,)
> creatorsName=cn=directory manager
> modifiersName=cn=directory manager
> createTimestamp=20041008175127Z
> modifyTimestamp=20041008175127Z
>
> And here is the /etc/passwd file entry. (pwconv added the entry to
> /etc/shadow)
>
> +@skylab:x:::::
>
> In this configuration, no ldap account can login. The user fred is an
> ldap user and is listed in the skylab netgroup. If I add "+fred" to
> the passwd file then fred can login so I know the 1 compatibility is
> working, just not with the netgroup.
>
> Do I have a configuration error or is this a bug?
>
> Any assistance would be appreciated.
>
> Thanks,
> Vic
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:29:33 EDT