auth against LDAP
bnies at bluewin.ch
bnies at bluewin.ch
Fri Oct 29 07:53:06 EDT 2004
>Are you really sure ? I don't know PAM on solaris, but if you only
>allow imap, sieve and possibly pop3 in e.g. /etc/pam.d/ user can't get
>an interactive account.
On Solaris with LDAP NSS, the LDAP accounts must have
ObjectClass: posixAccount
ObjectCLass: shadowAccount
and therefore UID/GID/Homedir/Shell set. But one can set the shell to /bin/false
to disable login.
On Systems with NSS based on OpenLDAP one can set in /etc/ldap.conf
pam_filter objectclass=account
or whatever and don't need posixAccount/shadowAccount object classes.
Regards,
Bernd
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list