Thanks,

I add a shadowaccount, i doing this command getent passwd (ok this fonction), getent group (ok this fonction) and getent shadow(this fonction) "dkakon:*:14573:0:99999:7:::".

ldapsearch -h localhost "uid=dkakon"
version: 1
dn: uid=dkakon,ou=People,dc=fr,dc=publicisgroupe,dc=net
givenName: dan
sn: kakon
telephoneNumber: 0650621292
loginShell: /bin/bash
gidNumber: 700
uidNumber: 700
mail: kakon.dan@gmail.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowaccount
objectClass: passwordpolicy
objectClass: passwordobject
uid: dkakon
gecos: Dan Kakon
cn: dan kakon
homeDirectory: /home/dkakon
shadowMax: 99999
shadowMin: 00000
shadowLastChange: 14573
shadowWarning: 7
userPassword: {SSHA}3atvCZ+60iYb0qFtyzWg2p+HZFbpUgqCa4W0Xw==
passwordStorageScheme: MD5

One:

I don't a scheme of userPassword {SSHA} is by default, i add many attributes shadowaccount, passwordpolicy

I add a value userpassword on my group dkakon, i went to authentie my user dkakon. Now this work.

file /etc/ldap.conf (client rhel 5.4):

host rh5std.fr.publicisgroupe.net
base dc=fr,dc=publicisgroupe,dc=net
uri ldap://rh5std.fr.publicisgroupe.net
ldap_version 3
port 389
scope one
timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
pam_password ssha
nss_base_passwd ou=People,dc=fr,dc=publicisgroupe,dc=net?sub
nss_base_shadow ou=People,dc=fr,dc=publicisgroupe,dc=net?sub
nss_base_group  ou=Groups,dc=fr,dc=publicisgroupe,dc=net?sub

Thanks

Dan

2009/11/25 Andrew C. Dingman <andrew@dingman.org>
On Wed, 2009-11-25 at 11:07 +0100, dan kakon wrote:
> I not see a password in a shadow file, id user.

Nor should you. Neither /etc/passwd nor /etc/shadow should contain any
reference to your LDAP users. If things are set up right, though, you
should be able to view them as NSS sees them with 'getent passwd' and
'getent shadow'. Depending on how you chose to set things up, there may
be no shadow entries at all. Arguably, you don't need the shadow
information for LDAP users, if password expiration and account vailidity
are all being enforced at the directory server level.

--

--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Dan Kakon
126, Avenue de Paris
94300 Vincennes
Tel : 0178689468
Port : 0650621292
email :dankakon@dksn.net
         kakon.dan@gmail.com
Blog DKSN: www.dksn.net