Pam with Ldap on Solaris 10

From: wheakory@isu.edu
Date: Thu May 04 2006 - 15:09:32 EDT

• Next message: Peter Weiss: "Create a jumpstart boot server in a Solaris 10 local zone"
• Previous message: stan: "ntop bianry for Solaris 10 X86"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have a Sun One Directory Server 5.2 on one box and I'm using it to
authenticate users to login into their system account on another Solaris
10 system. I configured pam_LDAP and that works, but I want to tweak
the pam module to work how I want things setup..

I only want the users to authenticate with their LDAP password and not
with their system password. When their system account is created it
generates a password (if I don't generate a system password their LDAP
password will not authenticate not sure why, but it most be in the PAM
setup), and the users were able to login to the Solaris 10 box using
their system password and LDAP
password, until I made the below changes to the pam module.
I commented out the "login pam_unix_auth.so.1", and now they can only
login with their LDAP password, but there's a problem with this..

If you reboot the machine and try to login as root, and since root uses
the login service on boot up to login, I can't login. How can I change
to pam module to only allow root to use it's system password with the
login service module?

login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
#login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 debug

su auth requisite pam_authtok_get.so.1
su auth required pam_dhkeys.so.1
su auth required pam_unix_cred.so.1
su auth required pam_dial_auth.so.1
su auth sufficient pam_unix_auth.so.1
su auth required pam_ldap.so.1 debug

other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
#other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1 debug
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

--
Kory Wheatley
Computing Analyst Sr.
[demime 1.01b removed an attachment of type text/x-vcard which had a name of wheakory.vcf; charset=windows-1252]
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Peter Weiss: "Create a jumpstart boot server in a Solaris 10 local zone"
• Previous message: stan: "ntop bianry for Solaris 10 X86"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:39:47 EDT