RE: Configuring Solaris 8 clients

[Matthew Mauzy <matthew_mauzy@unc.edu>]

--On Thursday, March 27, 2003 4:27 PM -0500 Igor Brezac <igor@ipass.net> 
wrote:

> On Thu, 27 Mar 2003, Matthew Mauzy wrote:
>
> > > My guess is that anonymous cannot read userPassword attribute, or the
> > > userPassword attribute is not of the {crypt}xxxxxxxxxxxxx form.
> >
> > Correct.  My userPassword attribute is {KERBEROS}prinical@REALM
>
> To my knowledge this will not to work, I tried other hashes such as md5
> and cleartext and non of them worked.  userPassword has to use {crypt}
> hash.

Are you saying that using anything other than {crypt} for any account won't 
work or rather the NS_LDAP_BINDDN needs to use a {crypt} password?


> > I am now getting account info from LDAP.  Only problem is getting PAM
> > stacked correctly to allow login via ssh/telnet/xdm for LDAP accounts.  I
> > can su into the account, but logins fail to no local accounts.
>
> If you leave default pam config, login pam_unix_auth will be used which in
> turn will consult nsswitch.  You can configure pam to use ldap directly,
> check 'man pam_ldap'.  It is very simple.

I suppose now this thread is getting a bit off topic for this list, but 
you've been so helpful I'll keep asking...  In the man page for pam_ldap it 
seems to me that I only need to add pam_ldap to pam.conf if I was using 
ldap for password authentication and management.  Since I'm using kerberos 
5 for password authentication can I just ignore the pam_ldap (and use 
pam_unix via nsswitch.conf)?  Is my problem more with the stacking of 
pam_krb5 module?

--Matthew
__________________________________________________________________
                       Matthew W. Mauzy
                     Systems Administrator
                     Applied Math @ UNC-CH
email : mauzy@amath.unc.edu           pager : mpager@amath.unc.edu
(W) 919.962.9819   www.amath.unc.edu/~mauzy/   (P) 919.347.0390
__________________________________________________________________