I found this and it might be of use to you and a couple of others here playing with Linux, Samba, PAM etc.:
http://www.openntf.org/projects/pmt.nsf/HomeLookup/2C7B9238190CDED588256D09003D2536?OpenDocument
Additional info on integrating SAMBA and OpenLDAP that might be useful for Domin as well:
http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html#samba.schema
Some notes on my progress on a slightly different approach to the problem. I got the underlying Linux authentication system to look to Domino for credentials, it will then work for anything that supports PAM (pluggable authentication modules). I was working on getting CVS running, there are some political battles in the CVS team which mean that the official version of CVS does not support PAM, but it can be patched to do so quite easily (I managed it so it can't be that hard.)
To act as an authentication server Domino must support the posixAccount Schema and the posixGroup Schema.
add a subform to your domino directory I called mine "LDAP posixAccount Schema"
add the following fields: note all are text, do not for a moment consider making the UIDNumber and GIDnumber numeric. if you do, then you are stuffed as the UNK table gets the wrong datatype .
UIDNumber - text!!!! editable, default value something to create a unique number, I used "@Text(@Integer(1000+(@Random*1000)))"
GIDNumber - text!!!! computed formula is "UIDNumber"
home directory - editable, default value "/home/"+@LowerCase(shortname)"
login shell - editable, default value "/bin/bash"
$objectclass - computed, allow multiple values, "posixAccount":"posixGroup"
add your subform to the existing subform $PersonExtensibleSchema
refresh a few person documents
go to your server console and type tell ldap reload schema.
you now have a nicely configured LDAP server.
on the client side (that is your linux machine)
open a couple of root shells, leave them open. you could lock yourself out in this process.
edit /etc/ldap.conf only the following lines should be uncommented:
host www.yourserver.com
binddn cn=Jean-Luc Picard,o=Enterprise
bindpw=makeitso
rootbinddn cn=Jean-Luc Picard,o=Enterprise
pam_password clear
ssl no
replace the bold stuff with a user and password that can read your NAB but not much else.
echo makeitso>/etc/ldap.secret
run authconfig, or edit /etc/pam.d/system-auth, mine looks like this:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
Return to top
. . RE: LDAP for Solaris/linux user aut... (~Sanjay Froaly 22.Apr.03)
Print this page
