But it seems that this policy is not activated, for example the pwdMinLength: is set to 3, but when the user changes his/her password, it seems that the Solaris policy takes over from the /etc/default/passwd file
Code:
test5:/ $ ssh admin777@10.1.1.5
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OR OTHER
APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT
TO MONITORING AND AUDITING.
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
Password:
Last login: Tue Jul 12 11:14:22 2011 from test5.example.
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sourcing //.profile-EIS.....
test5:/ $ id
uid=5011(admin777) gid=1000(users) groups=1000(users)
test5:/ $ passwd
passwd: Changing password for admin777
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
New Password:
test5:/ $ cat /etc/default/passwd
#ident @(#)passwd.dfl 1.7 04/04/22 SMI
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
MAXWEEKS=13
MINWEEKS=
PASSLENGTH=8
# NAMECHECK enables/disables login name checking.
# The default is to do login name checking.
# Specifying a value of NO will disable login name checking.
#
NAMECHECK=YES
It seems that the Solaris password policy forces the user to use the Solaris policy and ignore the LDAP ppolicy, below is my slapd.conf file
Code:
test5:/ $ cat /usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/DUAConfigProfile.schema
include /usr/local/etc/openldap/schema/solaris.schema
include /usr/local/etc/openldap/schema/java.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
loglevel 256
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload ppolicy.la
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
checkpoint 32 30
cachesize 10000
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw "{SSHA}6FWujVb4YNHJDyniwoWaHTMfXBJBM8u7"
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
index uid,uidNumber,gidNumber,shadowExpire,shadowLastChange eq
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
Any ideas would be highly appriciated!!
Last edited by Scott; 07-12-2011 at 07:12 AM..
Reason: Please use code tags
Hi,
I currently working on the same thing as you. Are you using the Solaris native client or anther LDAP client? I understand that there is a few extra steps involved if you use the native client. I see you have the extra schemas you need for Solaris. I would look at your PAM
Im still learning myself so I hope you find your answer
Hi,
I'm using the native Solaris 10 client and I'm initilizing it with the following
Code:
ldapclient manual -v -a authenticationMethod=none -a defaultSearchBase=dc=example,dc=com -a defaultServerList=127.0.0.1
Yea, I think that my proplem lies with the pam.conf file, but I've tried so many combinations.... at the moment for ssh I have
Code:
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth sufficient pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
#other auth required pam_ldap.so.1
#
I was never able to get the openldap server to run right on Solaris 10, I did get it running on Solaris 11 though. I opted to install the openldap server on CentOS because openldap just runs/configures easier on Linux. I'm in the process of configureing the Solaris clients to authenticate off of the openldap server. I'm experimenting on different ldap clients.
Which installer did you use to install the openldap on Solaris? Did you compile the source from openldap or use sunfreeware, blastware and opencw packages?
Hi,
I downloaded the software from SunFreeWare, openldap-2.4.24,tar.gz and installed it with pkgadd, keep in mind that you might find some dependancies, below is and extract from my scripts that highlights what will be installed, I just uninstalled the packages and reinstalled these below
Code:
clear
echo "******************** OpenLDAP setup ********************"
echo "This script will install OpenLdap 2.4.23, libtool 2.4, BerkeleyDB.4.7, openssl 1.0 and openssh 5.8p1"
echo "It will also setup a basic OpenLdap structure"
echo "logfile = /opt/temp/OpenLDAP/install.log"
echo "The following files need to be in directory /opt/temp/OpenLDAP"
echo "openldap-2.4.23-sol10-sparc-local.gz, libtool-2.4-sol10-sparc-local.gz, db-4.7.25.NC-sol10-sparc-local.gz"
echo "openssl-1.0.0d-sol10-sparc-local.gz, openssh-5.8p1-sol10-sparc-local.gz"
echo "openLDAP.gz"
---------- Post updated at 01:56 AM ---------- Previous update was at 12:43 AM ----------
mmmh getting closer, when I start slapd in debug mode, it starts up but in the debug log
Code:
line 22 (pidfile /usr/local/var/run/slapd.pid)
line 23 (argsfile /usr/local/var/run/slapd.args)
line 26 (modulepath /usr/local/libexec/openldap)
line 27 (moduleload ppolicy.la)
loaded module ppolicy.la
module ppolicy.la: null module registered
line 64 (access to dn.base="" by * read)
>>> dnNormalize: <>
<<< dnNormalize: <>
Backend ACL: access to dn.base=""
by * read
The line "module ppolicy.la: null module registered" bothers me, as this is exactly my problem, the ppolicy overlay does not work, any suggestions?
Hey whats up.
I have not been able to work on the LDAP stuff latly.
I used this guide as well as others to install openldap on Solaris. http://uminac.com/wp-content/uploads...65774196-1.pdf
Now he uses blastware to install openldap on Solaris. This guide has sample files at the end that you can use or review. What I don't like is he sets up TLS/SSL right away during the initial setup and uses a role to run openldap. I wanted is simpler setup for testing. I can always lock it down after I have a better understanding of LDAP.
This is what he has for the module stuff.
Code:
# Load dynamic backend modules :
modulepath / opt /csw/ l i b e x e c / openldap
moduleload back_bdb . l a
# moduleload back_ldap . l a
# moduleload back_ldbm. l a
# moduleload back_passwd . l a
# moduleload back_shel l . l a
My slapd.conf looks almost exacty like the one on this site, because I used this guide and the "RedHat Deployment Guide" to install openldap on Centos. Centralize user accounts with OpenLDAP
There is no module stuff in this file. This guide is missing stuff put I have yet to find a complete one.
Hi,
I have done setup for openldap master and slave.
Its working fine and replicating also.
But it is working only with plane text password in syncrepl .
How we can use encrypted password here also like we are using in rootpw ?
Below portion is working.
syncrepl rid=101
... (3 Replies)
I hope this is the right place to post this and that I can get some help. I pretty much suck at troubleshooting build issues.
we are running oracle red-hat linux 2.6.32-200.20.1.el5uek #1 SMP Fri Oct 7 02:29:42 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
trying to build the latest stable version of... (3 Replies)
Hi All,
I have configured OpenLDAP sucessfully and set following results indicating that the user is loaded on the LDAP database
test5:/ $ cat /etc/passwd | grep admin777
test5:/ $ getent passwd admin777
admin777:x:5011:1000::/:/bin/bash
test5:/ $ id admin777
uid=5011(admin777)... (0 Replies)
I m using Intel solaris 10 version . I m trying to install openldap and used several documents and package versions .
But every time I got CC PATH error and while I solved the CC issue , I got Barkley DB error . :wall:
Is there any perticular site from where I can install and configure... (1 Reply)
At work I'm been givin the task to move are backend servers from NIS to LDAP. We have mostly Solaris 10 servers, as well as a few Redhat servers. I am going to use openLDAP as the LDAP server. I'm looking for a good how to guide on setting up the openLDAP server. Most of the docs I have found seem... (0 Replies)
Hi, all:
I'm studying for the RHCE and have hit the section on configuring an OpenLDAP client. I'd like to practice this, but I can't get an OpenLDAP server set up. I followed the directions in RedHat's Deployment Guide, and it looks like the server is up and running, but I can't get the... (0 Replies)
hello
I have a P570 with 3 partitions.
These partitions are available, since 1 year. So there are a lot of users, files, etc, on these partition
I must now install an openldap with Debian to manage all these users.
But several pb:
on LDAP, we are 1 iud for user and one home directory, 1 gid... (0 Replies)
Hello!
I'm starting to panic here!
I'm trying to authorize Subversion (via apache) users at my company here via LDAP.
Sure everything works when just authorizing users with require valid-user
But! That is not what I'm looking for, I wish to Authorize by membership in specifik groups...
This... (0 Replies)