Summary: Sun One Directory server 5.2 and user authentication

From: Ryan Mcewan (mcmeister@gmail.com)
Date: Wed Jun 01 2005 - 12:35:34 EDT

• Next message: Tom Grassia: "XRAID on a V240?"
• Previous message: sunlist: "[SUMMARY] Solaris 10 and configuring ipfilter"
• In reply to: Ryan Mcewan: "Sun One Directory server 5.2 and user authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Special thanks to Jeremy Loukinas and Todd Wilkinson for assisting me.
 I'm not exactly sure what ended up working, but I went ahead and
rebuilt the client and played with the server side Security Policies
and now I appear to once again have a working ldap authentication
environment. Wish I could provide the golden ticket, but I'm still
unclear which part fixed it.

---------- Forwarded message ----------
From: Ryan Mcewan <mcmeister@gmail.com>
Date: May 18, 2005 3:49 PM
Subject: Sun One Directory server 5.2 and user authentication
To: sunmanagers@sunmanagers.org

I''m swimming in information, yet I cannot seem to get this to work.
I had a working model, but then in my efforts to rebuild everything to
ensure that I knew what I was doing, I've broken something. Now I
can't figure out what's going on. Here is my problem

Solaris 9 DS 5.2 (ldap server)
Solaris 8 ldap client (will eventually be solaris 9 and various linux
clients)

setup the ldap server using TLS and everything is great. I can
authenticate users on the solaris 8 client, but password enforcement,
etc is not working. Below is my pam.conf file as well (this is the
latest. I've tried many. This was taken directly from docs.sun.com).
 My ultimate goal is to use pam_ldap as it can use SHA for password
encryption and thus have passwords longer than the 8 characters.

I've also setup a Password Policy, but it does not seem to be
enforcing it. Anytime I change my passwd from the ldap client it goes
back to crypt from SHA and also is not enforcing the character limit
nor the password history. It also does not seem to be enforcing
password expiry. I had this working at one time, but now it's broke
and I'm not sure what I've done.

client's pam.conf
#
# ident "@(#)pam.conf 1.19 03/01/10 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth required pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth required pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_authtok_get.so.1
rsh auth required pam_dhkeys.so.1
rsh auth sufficient pam_unix_auth.so.1
rsh auth required pam_ldap.so.1 try_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth required pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1
ppp auth required pam_ldap.so.1 try_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication

#
other auth required pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)

#
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1 try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password required pam_dhkeys.so.1
other password required pam_authtok_get.so.1
other password required pam_authtok_check.so.1
other password sufficient pam_authtok_store.so.1
other password required pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
#
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Tom Grassia: "XRAID on a V240?"
• Previous message: sunlist: "[SUMMARY] Solaris 10 and configuring ipfilter"
• In reply to: Ryan Mcewan: "Sun One Directory server 5.2 and user authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:47 EDT