Special thanks to Jeremy Loukinas and Todd Wilkinson for assisting me. I'm not exactly sure what ended up working, but I went ahead and rebuilt the client and played with the server side Security Policies and now I appear to once again have a working ldap authentication environment. Wish I could provide the golden ticket, but I'm still unclear which part fixed it. ---------- Forwarded message ---------- From: Ryan Mcewan <mcmeister@gmail.com> Date: May 18, 2005 3:49 PM Subject: Sun One Directory server 5.2 and user authentication To: sunmanagers@sunmanagers.org I''m swimming in information, yet I cannot seem to get this to work. I had a working model, but then in my efforts to rebuild everything to ensure that I knew what I was doing, I've broken something. Now I can't figure out what's going on. Here is my problem Solaris 9 DS 5.2 (ldap server) Solaris 8 ldap client (will eventually be solaris 9 and various linux clients) setup the ldap server using TLS and everything is great. I can authenticate users on the solaris 8 client, but password enforcement, etc is not working. Below is my pam.conf file as well (this is the latest. I've tried many. This was taken directly from docs.sun.com). My ultimate goal is to use pam_ldap as it can use SHA for password encryption and thus have passwords longer than the 8 characters. I've also setup a Password Policy, but it does not seem to be enforcing it. Anytime I change my passwd from the ldap client it goes back to crypt from SHA and also is not enforcing the character limit nor the password history. It also does not seem to be enforcing password expiry. I had this working at one time, but now it's broke and I'm not sure what I've done. client's pam.conf # # ident "@(#)pam.conf 1.19 03/01/10 SMI" # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth required pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_dial_auth.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 try_first_pass # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth required pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 try_first_pass # # rsh service (explicit because of pam_rhost_auth) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_authtok_get.so.1 rsh auth required pam_dhkeys.so.1 rsh auth sufficient pam_unix_auth.so.1 rsh auth required pam_ldap.so.1 try_first_pass # # PPP service (explicit because of pam_dial_auth) # ppp auth required pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_dial_auth.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_ldap.so.1 try_first_pass # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth required pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 try_first_pass # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 try_first_pass # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password required pam_authtok_get.so.1 other password required pam_authtok_check.so.1 other password sufficient pam_authtok_store.so.1 other password required pam_ldap.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass # _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Jun 1 12:36:00 2005
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:47 EST