Summary: Sun One Directory server 5.2 and user authentication

Ryan Mcewan mcmeister at gmail.com
Wed Jun 1 12:35:34 EDT 2005


Special thanks to Jeremy Loukinas and Todd Wilkinson for assisting me.
 I'm not exactly sure what ended up working, but I went ahead and
rebuilt the client and played with the server side Security Policies
and now I appear to once again have a working ldap authentication
environment.  Wish I could provide the golden ticket, but I'm still
unclear which part fixed it.

---------- Forwarded message ----------
From: Ryan Mcewan <mcmeister at gmail.com>
Date: May 18, 2005 3:49 PM
Subject: Sun One Directory server 5.2 and user authentication
To: sunmanagers at sunmanagers.org


I''m swimming in information, yet I cannot seem to get this to work.
I had a working model, but then in my efforts to rebuild everything to
ensure that I knew what I was doing, I've broken something.  Now I
can't figure out what's going on.  Here is my problem

Solaris 9 DS 5.2 (ldap server)
Solaris 8 ldap client (will eventually be solaris 9 and various linux
clients)

setup the ldap server using TLS and everything is great.  I can
authenticate users on the solaris 8 client, but password enforcement,
etc is not working.  Below is my pam.conf file as well (this is the
latest.  I've tried many.  This was taken directly from docs.sun.com).
 My ultimate goal is to use pam_ldap as it can use SHA for password
encryption and thus have passwords longer than the 8 characters.

I've also setup a Password Policy, but it does not seem to be
enforcing it.  Anytime I change my passwd from the ldap client it goes
back to crypt from SHA and also is not enforcing the character limit
nor the password history.  It also does not seem to be enforcing
password expiry.  I had this working at one time, but now it's broke
and I'm not sure what I've done.

client's pam.conf
#
# ident "@(#)pam.conf   1.19    03/01/10 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_ldap.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth required           pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_authtok_get.so.1
rsh     auth required           pam_dhkeys.so.1
rsh     auth sufficient         pam_unix_auth.so.1
rsh     auth required           pam_ldap.so.1 try_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth required           pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_ldap.so.1 try_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication

#
other   auth required           pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)

#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1  try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password required       pam_authtok_get.so.1
other   password required       pam_authtok_check.so.1
other   password sufficient     pam_authtok_store.so.1
other   password required       pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass
#



More information about the sunmanagers mailing list