This is from the Sun website about their pam_ldap module:
Configuring PAM to Use LDAP server_policy
To configure PAM to use LDAP server_policy, follow the sample in
Example pam_conf file for pam_ldap Configured for Account Management
<
http://docs.sun.com/app/docs/doc/816-4556/schemas-250?a=view>. Add
the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf
file. In addition, if any PAM module in the sample pam.conf file
specifies the binding flag and the server_policy option, use the same
flag and option for the corresponding module in the client's
/etc/pam.conf file. Also, add the server_policy option to the line
that contains the service module pam_authtok_store.so.1.
------------------------------------------------------------------------
*Note – *
Previously, if you enabled pam_ldap account management, all users
needed to provide a login password for authentication any time they
logged in to the system. Therefore, nonpassword-based logins using
tools such as rsh, rlogin, or ssh would fail.
Now, however, pam_ldap(5)
<
http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view>, when
used with Sun Java System Directory Servers DS5.2p4 and newer
releases, enables users to log in with rsh, rlogin, rcp and ssh
without giving a password.
pam_ldap(5)
<
http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view> is now
modified to perform account management and retrieve the account status
of users without authenticating to Directory Server as the user
logging in. The new control to this on Directory Server is
1.3.6.1.4.1.42.2.27.9.5.8, which is enabled by default.
To modify this control for other than default, add Access Control
Instructions (ACI) on Directory Server:
dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid:1.3.6.1.4.1.42.2.27.9.5.8
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable";
allow (read, search, compare, proxy)
(groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config
I wanted to know if there is a known working version of this for ssh keys with account
management for 389.
I'm not sure. Other posters have provided information about using ssh
keys with 389.
No, this control is not provided by 389. Please file a bug/RFE for this
feature.
Thanks!
Chuck
------------------------------------------------------------------------
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users