ds6 account management
Hi,
I have DS6 on Solaris 10 and have setup a Sol 10 native ldap client. The plan is to replace NIS with LDAP. The client machine binds using tls:simple with a proxyagent account, and account management is done via pam_ldap. This basically works, for instance I have set account locking after 2 retries and a timeout value so the account locks/unlocks automatically - works fine for ssh, and rsh.
However:
1, if I manually set an account to inactive using /opt/SUNWdsee/ds6/bin/ns-inactivate, I can still log in possibly because the bind DN is the proxyagent rather than the users DN? So how do I set this thing up so that I can manually lock/unlock a user's account?
2, When the account is automatically locked after 2 retries, there should be a message warning the account is locked sent to the users terminal. What config is required for this message to be sent?
Many thanks,
Terry.
[929 byte] By [
RoadKinga] at [2007-11-27 6:37:15]
# 1
Yes, you are probably using pam_unix mode.In this mode "proxyagent" user is BINDing to DS and just matching passwords.You need to configure pam_ldap, so the real user (not proxyagent) BINDs to DS and can be locked/warned.HTH
# 2
Fairly sure pam_ldap is working as I don't think the auto account locking would work with pam_unix?
Relevant pam.conf entries:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# sshd
#
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth required pam_dial_auth.so.1
sshd auth binding pam_unix_auth.so.1 server_policy
sshd auth required pam_ldap.so.1
# 3
I think default Solaris pam.conf uses pam_unix. If pam_ldap is the choice, check that DS ACI denies to 損roxyagent?the ability to read the userPassword attribute.
This because the pam_unix module on a Solaris client pam stack (pam.conf) has precedence over the pam_ldap module, if pam_unix has success, pam_ldap is never attempeted; the only way to assure pam_ldap is always used is to deny 損roxyagent?reading userPassword attribute on DS.
# 4
Yes, the pam_unix does have precedent in the stack over pam_ldap, but according to Sun doc's, the binding control and server_policy option should invalidate the pam_unix if the account is not local (i.e on ldap server) and then invoke the pam_ldap module.
I'll setup some debugging and on the pam and edit the ACI so proxyagent cannot read passwords - hopefully - ACI's look awful complex to me.
Thanks for the info
