JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Working With Naming and Directory Services in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I About Naming and Directory Services

1.  Naming and Directory Services (Overview)

2.  Name Service Switch (Overview)

3.  Managing DNS (Tasks)

4.  Setting Up Oracle Solaris Active Directory Clients (Tasks)

Part II NIS Setup and Administration

5.  Network Information Service (Overview)

6.  Setting Up and Configuring NIS (Tasks)

7.  Administering NIS (Tasks)

8.  NIS Troubleshooting

Part III LDAP Naming Services

9.  Introduction to LDAP Naming Services (Overview)

10.  Planning Requirements for LDAP Naming Services (Tasks)

11.  Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks)

12.  Setting Up LDAP Clients (Tasks)

13.  LDAP Troubleshooting (Reference)

14.  LDAP Naming Service (Reference)

Blank Checklists for Configuring LDAP

LDAP Commands

General LDAP Tools

LDAP Tools Requiring LDAP Naming Services

Example pam_conf File Using the pam_ldap Module for Account Management

IETF Schemas for LDAP

RFC 2307bis Network Information Service Schema

Mail Alias Schema

Directory User Agent Profile (DUAProfile) Schema

Oracle Solaris Schemas

Projects Schema

Role-Based Access Control and Execution Profile Schema

Internet Print Protocol Information for LDAP

Internet Print Protocol Attributes

Internet Print Protocol ObjectClasses

Printer Attributes

Sun Printer ObjectClasses

Generic Directory Server Requirements for LDAP

Default Filters Used by LDAP Naming Services

15.  Transitioning From NIS to LDAP (Tasks)

Glossary

Index

Example pam_conf File Using the pam_ldap Module for Account Management


Note - Previously, if you enabled pam_ldap account management, all users needed to provide a login password for authentication any time they logged in to the system. Therefore, non-password-based logins using tools such as ssh would fail.

Perform account management and retrieve the account status of users without authenticating to Directory Server as the user is logging in. The new control on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8, which is enabled by default.

To modify this control for other than default, add Access Control Instructions (ACI) on Directory Server:

dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid:1.3.6.1.4.1.42.2.27.9.5.8
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; 
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config

#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite        pam_authtok_get.so.1
login   auth required         pam_dhkeys.so.1
login   auth required         pam_unix_cred.so.1
login   auth required         pam_dial_auth.so.1
login   auth binding          pam_unix_auth.so.1 server_policy
login   auth required         pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient       pam_rhosts_auth.so.1
rlogin  auth requisite        pam_authtok_get.so.1
rlogin  auth required         pam_dhkeys.so.1
rlogin  auth required         pam_unix_cred.so.1
rlogin  auth binding          pam_unix_auth.so.1 server_policy
rlogin  auth required         pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient       pam_rhosts_auth.so.1
rsh     auth required         pam_unix_cred.so.1
rsh     auth binding          pam_unix_auth.so.1 server_policy
rsh     auth required         pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite        pam_authtok_get.so.1
ppp     auth required         pam_dhkeys.so.1
ppp     auth required         pam_dial_auth.so.1
ppp     auth binding          pam_unix_auth.so.1 server_policy
ppp     auth required         pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite        pam_authtok_get.so.1
other   auth required         pam_dhkeys.so.1
other   auth required         pam_unix_cred.so.1
other   auth binding          pam_unix_auth.so.1 server_policy
other   auth required         pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth binding          pam_passwd_auth.so.1 server_policy
passwd  auth required         pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required      pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite     pam_roles.so.1
other   account binding       pam_unix_account.so.1 server_policy
other   account required      pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required      pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required     pam_dhkeys.so.1
other   password requisite    pam_authtok_get.so.1
other   password requisite    pam_authtok_check.so.1
other   password required     pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#