*** Reply to note of Thu, 18 Dec 2003 10:18:41 -0500 (EST/CDT)
*** by [EMAIL PROTECTED]
I did a couple of tests and it seems to work for me (by default we use
SecurID for the authentication part). You may need a newer pam_ldap version
(I am using pam_ldap-164).
The ACL depends on if you are using anonymous bind or a proxy user
(rootbinddn). You can start with:
access to dn="..dc=com" attr=userPassword
by self write
by anonymous auth
by * none
access to *
by * read
and change as needed.
SLES8 includes the CPU tool to add/change/delete users and groups
Sal
Eric Sammons <[EMAIL PROTECTED]> writes:
>I have done that and it sort of worked. It seemed to take on the
>characteristics there after of a ACL problem. By changing the acls I get
>different behavior; however, I can't seem to find the right acls that
>cause the implementation to work.
>
>Do you have this working? Can I ask what your LDAP ACLs look like?
>
>Thanks!
>Eric Sammons
>(804)697-3925
>FRIT - Unix Systems
>
>
>
>
>
>"Sal Torres/SBC Inc." <[EMAIL PROTECTED]>
>Sent by: Linux on 390 Port <[EMAIL PROTECTED]>
>12/18/2003 10:03 AM
>Please respond to Linux on 390 Port
>
> To: [EMAIL PROTECTED]
> cc:
> Subject: Anyone using OpenLDAP with SLES8? Question with
>Passwords
>
>Try to set the shadow last change to zero. pam_ldap is supposed to
>expire the account:
>...
> if (session->info->shadow.lstchg == 0)
> {
> /*
> * Adhere to convention of a shadow last change
> * value of 0 implying that the password has
> * expired. Apparently this is documented in the
> * shadow suite (libmisc/isexpired.c).
> */
> session->info->password_expired = 1;
>...
>
>sal
