From: Vsevolod (Simon) Ilyushchenko (simonf@cshl.edu)
Date: Mon Aug 01 2005 - 19:09:40 EDT
Hi,
I've tried to use Openldap client libraries on a Solaris 9 machine to
connect to an Openldap server, as described here:
http://www.bolthole.com/solaris/LDAP.html
and here:
http://netmojo.ca/howto/solaris-openldap.html#LastStep
In particular, I've taken pam.conf (below) from the second page.
I've had partial success: LDAP accounts can login using the default
Sun's SSH, the 'id' command works, and I can 'sudo su' to LDAP accounts.
However, regular 'su' does not work: if I try it, I get the error: "su:
Unknown id: username". 'Su' to local accounts works.
Also, after I login as an LDAP user, the 'ps -ef' output shows my UID,
not my username. So the OS does not completely recognize the LDAP accounts.
Has anyone run into this? What other settings can I play with?
Thanks,
Simon
***
My pam.conf:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 try_first_pass
login auth required pam_dial_auth.so.1
#
## OpenSSH
sshd auth sufficient pam_unix.so.1
sshd auth required pam_ldap.so.1 try_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
passwd auth sufficient pam_unix_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
## OpenSSH
sshd account sufficient pam_unix.so.1
sshd account required pam_ldap.so.1 try_first_pass
# # Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account sufficient pam_unix_account.so.1
other account required pam_ldap.so.1 try_first_pass
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
other password sufficient pam_unix.so.1
other password required pam_ldap.so try_first_pass
-- Simon (Vsevolod ILyushchenko) simonf@cshl.edu http://www.simonf.com Terrorism is a tactic and so to declare war on terrorism is equivalent to Roosevelt's declaring war on blitzkrieg. Zbigniew Brzezinski, U.S. national security advisor, 1977-81 _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:31:13 EDT