[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: using openldap/nss_ldap/pam module on solaris 2.6
Mark X Lucking: Not really clear on what you are asking... you created the
posixAccount OK, what's the problem with shadowAccount?
Scott: Kurt is probably going to scold me and say this is off-topic for this
list, but I'll risk it and briefly address: nss_ldap and pam_ldap are
different methods of getting to the same result (which is to authenticate
against ldap). Hopefully you know what PAM is, and you realize that not all
applications have been "pam-enabled". NSS is a way of supporting non-PAM
apps that authenticate using a getpwent() call (typically a lookup in
/etc/passwd or shadow). NSS will intercept the getpwent call and do the
lookup using whatever method is specified in /etc/nsswitch.conf. It is
important to realize that PAM lets you change auth method on an app-by-app
basis, whereas NSS is a system-wide thing.
Now, where SASL fits into all this I still don't understand, but then I
really haven't take the time to read the RFC.
> From: "Scott D. Epter Ph. D." <septer@hhinteractive.com>
> Date: Tue, 10 Apr 2001 10:03:53 -0400
> To: <openldap-software@OpenLDAP.org>
> Subject: RE: using openldap/nss_ldap/pam module on solaris 2.6
>
> Glad you posted this. I am going through a similar situation, although have
> not progressed as far as you have. At this point, I have found precious
> little documentation on how to do this and am unclear on the role of the
> nss_ldap module (i.e. why doesn't the ldap_pam module suffice?) Can you (or
> anybody who has done this successfully) either:
>
> 1) Post the relevant pieces of your pam.conf, ldap.conf and nsswitch.conf
> or
> 2) Point out some docs that got you as far as you did?
>
> or even both...
>
> Thanks in advance,
>
> Scott
>
> & -----Original Message-----
> & From: owner-openldap-software@OpenLDAP.org
> & [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Mark X Lucking
> & Sent: Tuesday, April 10, 2001 6:53 AM
> & To: openldap-software@OpenLDAP.org
> & Subject: using openldap/nss_ldap/pam module on solaris 2.6
> &
> &
> & Help,
> &
> & We are trying to use openldap with solaris2.6 to manage users accounts...
> &
> & We have successfully compiled openldap.
> & We have successfully compiled a new pam module for authentication
> & using ldap.
> & We have successfully compiled a new nss_ldap.
> & We have configured /etc/pam.conf to use the new pam module
> & We have configured /etc/ldap.conf and /usr/local/etc/slapd.conf
> & We have configured /etc/nsswitch.conf
> &
> & After starting the slapd daemon we have added the following three
> & entries into
> & the ldap database with ldapadd no problem.
> &
> & dn: dc=jpmorgan,dc=geneva,dc=ch
> & description: jpmorgan
> & objectclass: organization
> & objectclass: dcObject
> &
> & dn: ou=People,dc=jpmorgan,dc=geneva,dc=ch
> & description: people
> & objectclass: person
> & objectclass: dcObject
> &
> & dn: uid=ldap,ou=People,dc=jpmorgan,dc=geneva,dc=ch
> & uid: ldap
> & cn: LDAP user
> & objectclass: account
> & objectclass: posixAccount
> & objectclass: top
> & userpassword: {crypt}abcdef
> & loginshell: /bin/ksh
> & uidnumber: 1517
> & gidnumber: 10
> & homedirectory: /users/ldap
> & gecos: LDAP user
> &
> & But we need to add ObjectClass shadowAccount and indeed the
> & correct entries as
> & specified in RFC2307 yes?
> &
> & How? forgive me but I do not know X.500 or openldap so well...
> &
> & And indeed is there another step we have missed out?
> &
> & Mark
> &
> &
> &
> & This communication is for informational purposes only. It is not
> & intended as
> & an offer or solicitation for the purchase or sale of any
> & financial instrument
> & or as an official confirmation of any transaction. All market prices, data
> & and other information are not warranted as to completeness or accuracy and
> & are subject to change without notice. Any comments or statements
> & made herein
> & do not necessarily reflect those of J.P. Morgan Chase & Co., its
> & subsidiaries and affiliates.
> &
>
>