Problem in logging in by LDAP Client
Hi,
We have installed Sun ONE directory server 5.2_4. When we try to login using the account created using console we are not able to do so. But if i try to su to the account from root, i am able to do so. Have tried creating additional new accounts with minimal reqd. configuration but even they are not able to login.
The o/p of logins shows that the account is locked. We have not been able to find anything on the console to unlock it.
# logins -x -l test1
test160101500
/export/home/test1
/bin/bash
LK 010170 0 0 0
Would appreciate if anyone can help us out.
Rgds
[630 byte] By [
adaddu] at [2007-11-26 10:56:35]
# 1
I ran into the same problem last week. Hope there is a solution.Thanks-Britto
# 2
Found the answer after searching on the web. The shadowaccount object class needs to be added.
When using People/New/User to create a new User Account, there is NO option to specify "shadowAccount" objectClass, without "shadowAccount" objectclass account login and account lockout feature won't work.
In SUN ONE Console, "Edit With Generic Editor" can be used to select "objectClass" and "Add a Value" of "shadowAccount".
HTH
Arvinder
# 3
Thx , I'll try the same.ThanksBritto
# 4
the solution is to not use the console when creating posix accounts unless you don't mind having to use the custom editor each and every time. you can configure smc to manage posix accounts but to be blunt smc is worthless.
take a look at LDAP Account Manager, http://lam.sourceforge.net/ for a nice tool for managing all of your ldap accounts. it's the only decent web based tool that i've found for this.
# 5
Is this tool recommended by SUNThanksBritto
# 6
i'm sure that sun doesn't recommend it, but it works better than anything i've used that comes out of sun.
# 8
Hi, I also have the same problem, but can you explain in more detail how to create accounts and when to add the shadowaccount objects and why not to add possixaccount objects using the console.Please, I need a help.regards, majlinda
# 9
i'm not saying that you shouldn't add posixAccount/shadowAccount object from the console i'm saying that it's tedious and there are better tools for managing user/group accounts.
you need to add the posixAccount object type to a user when said users is going to authenticate from a unix host. this object class defines things like loginShell, uidNumber, gidNumber, gecos, etc.
the shadowAccount is also only used for a users who is going to authenticate from a unix host, but it is only used to enforce password policy on the unix system. things like then the password expires, etc. while not technically required it should be used.
# 10
If you are using OpenLDAP. The DESC line is self explanatory, and sometimes isn't as helpful as you might like. The MUST line consists of a list of required attributes that every posixAccount object must have associated with it. The MAY line is a similar list, but these attributes are all optional, or allowed.
Thanks
--Britto
# 11
Thanks, darinp.
It is clear to me, I have added this objects using Generic editor, but do you know if this is the same forauthenticating clients against LDAP server in Windows machine?
And what else sholud be done in aUnix server machine, actually how to configure the authentication method ?
regads, majlinda
# 12
the operating system that SunDS is running on is irrelevant when it comes to client authentication.
configuring unix/linux client authentication is straight forward but very detailed. i strongly recommend that you read gary tay's fantastic "Installing and configuring iPlanet Directory Server for Solaris9" howto. it will answer all of these questions and more.
http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20iPlanet%20D irectory%20Server%20for%20Solaris9.htm
# 13
I'm searching my company database for this document.
# 14
I've got all my users in ldap that authenticate against our Solaris box where the users home directories are. But I have a twist to the current question. When you create an new accout automatically using LDIF files how is everyone finding out in LDAP which gidNumber and uidNumber is not being used? I need to find a way to find the next available numbers.
# 15
you need to check the uidNumber, figure out which one is the largest and increment 1 to said number.
here's one ugly way to do it...
expr 1 + `ldapsearch -h ldaphost \
-D "cn=proxyagent,ou=profile,dc=domain,dc=com" \
-w password \
-b "ou=people,dc=domain,dc=com" "uidNumber=*" \
| grep ^uidNumber | awk -F= '{print $2}' | sort -n | tail -1`
# 16
ldaplist -l passwd | grep uidNumberDoes this solves what you are looking for ?
# 17
this would only work on solaris, or a systems with ldaplist.
# 18
if you are using a Windows client you can use http://www.ldapeditor.com. They support posix/inetorg and shadow accounts. Its also an excellen ldap browser and editor
