Hello,
At the moment I'm working with the Sun Java System Directory Server. I would like to migrate to Openldap but of course without losing functionality. I enabled pam_ldap account management on all my Linux and Solaris computers and everything worked fine. Everyone could do nonpassword-based logins using tools such as rsh or ssh. This feature was provided by the "Account Usable Request Control" (1.3.6.1.4.1.42.2.27.9.5.8) from the Directory Server which is needed by the ldap_pam module from Solaris. After the installation from openldap on my Solaris server I recognized that nonpassword-based logins on the Solaris computers are not possible anymore. This problem [1] was discussed 2 years ago on "openldap-software@openldap.org" but there was no solution described. I would like to know if there is a way to get this feature enabled with openldap? If not what can i do else?
More technically: If a ssh client connects with public key authentication to a Solaris computer the pam module is sending a query to the ldap server if the account policies are handled by ldap to get all supportedControls and to check if the "Account Usable Request Control" exists to retrieve the policy data without the explicit login from the user.
Thanks in advance!
Charls
[1] http://www.openldap.org/lists/openldap-software/200710/msg00041.html
Charls wrote:
Hello,
At the moment I'm working with the Sun Java System Directory Server. I would like to migrate to Openldap but of course without losing functionality. I enabled pam_ldap account management on all my Linux and Solaris computers and everything worked fine. Everyone could do nonpassword-based logins using tools such as rsh or ssh. This feature was provided by the "Account Usable Request Control" (1.3.6.1.4.1.42.2.27.9.5.8) from the Directory Server which is needed by the ldap_pam module from Solaris. After the installation from openldap on my Solaris server I recognized that nonpassword-based logins on the Solaris computers are not possible anymore. This problem [1] was discussed 2 years ago on "openldap-software@openldap.org" but there was no solution described. I would like to know if there is a way to get this feature enabled with openldap? If not what can i do else?
Actually I think Ando's reply outlined the solution quite clearly: you will have to implement the control and associated policy. It seems that between then and now nobody else has felt it was worth their time to do so. This Project is volunteer driven - things only happen when someone thinks they're important enough that they step forward and do it. Is it important enough to you?
[1] http://www.openldap.org/lists/openldap-software/200710/msg00041.html
openldap-technical@openldap.org
-
Charls -
Howard Chu