[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Configuring Solaris 8 clients

--On Thursday, March 27, 2003 4:27 PM -0500 Igor Brezac <igor@ipass.net> wrote:

On Thu, 27 Mar 2003, Matthew Mauzy wrote:

> My guess is that anonymous cannot read userPassword attribute, or the
> userPassword attribute is not of the {crypt}xxxxxxxxxxxxx form.

Correct.  My userPassword attribute is {KERBEROS}prinical@REALM

To my knowledge this will not to work, I tried other hashes such as md5 and cleartext and non of them worked. userPassword has to use {crypt} hash.

Are you saying that using anything other than {crypt} for any account won't work or rather the NS_LDAP_BINDDN needs to use a {crypt} password?

I am now getting account info from LDAP. Only problem is getting PAM stacked correctly to allow login via ssh/telnet/xdm for LDAP accounts. I can su into the account, but logins fail to no local accounts.

If you leave default pam config, login pam_unix_auth will be used which in turn will consult nsswitch. You can configure pam to use ldap directly, check 'man pam_ldap'. It is very simple.

I suppose now this thread is getting a bit off topic for this list, but you've been so helpful I'll keep asking... In the man page for pam_ldap it seems to me that I only need to add pam_ldap to pam.conf if I was using ldap for password authentication and management. Since I'm using kerberos 5 for password authentication can I just ignore the pam_ldap (and use pam_unix via nsswitch.conf)? Is my problem more with the stacking of pam_krb5 module?

                       Matthew W. Mauzy
                     Systems Administrator
                     Applied Math @ UNC-CH
email : mauzy@amath.unc.edu           pager : mpager@amath.unc.edu
(W) 919.962.9819   www.amath.unc.edu/~mauzy/   (P) 919.347.0390