Re: USERADD/USERMOD with LDAP on SLES 10

Wed, 23 Apr 2008 23:47:30 -0700 

John Summerfield wrote:

Mark Perry wrote:

Hi list,
I have been manually adding users to LDAP by adding the --service ldap
and -D options, works fine.

SAP (via sapinst)  tries to add userids dynamically by calling
/usr/sbin/useradd directly, which fails.

Can SLES 10 with OpenLDAP be configured so that useradd/usermod commands


I'm sure it can (RHEL can for sure). It's in PAM, the nss_ldap module.

This should give some clues:
[EMAIL PROTECTED] ~]# grep ldap /etc/pam.d/*
/etc/pam.d/system-auth:auth        sufficient    pam_ldap.so
use_first_pass
/etc/pam.d/system-auth:account     [default=bad success=ok
user_unknown=ignore] pam_ldap.so
/etc/pam.d/system-auth:password    sufficient    pam_ldap.so use_authtok
/etc/pam.d/system-auth:session     optional      pam_ldap.so
/etc/pam.d/system-auth-ac:auth        sufficient    pam_ldap.so
use_first_pass
/etc/pam.d/system-auth-ac:account     [default=bad success=ok
user_unknown=ignore] pam_ldap.so
/etc/pam.d/system-auth-ac:password    sufficient    pam_ldap.so
use_authtok
/etc/pam.d/system-auth-ac:session     optional      pam_ldap.so
[EMAIL PROTECTED] ~]#




work directly on LDAP entries without specifying --service or -D ?
If so, does this allow for the root user to still be in /etc/passwd for
security/reliability? Or is it an ALL-LDAP solution?

I am not looking for workarounds, such as bash alias's or shell scripts
- I already use these ;-)

Hi John,
pam is certaining one of the tracks I am folloiwng.

This is a classic difference between RHEL and SLES - SLSES uses
pam_unix2 which has its on config file:
/etc/security/pam_unix2.conf

In this file  is set:
auth:   use_ldap
account:        use_ldap
password:       use_ldap

I think this is SLES's way of using pam_ldap but I'm not 100% sure.

pam_unix2 is capable of using pam_ldap via the parm "call_modules", but
I need a dedicated system to do these kinds of
experiments, will take some time.

mark

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to