The UNIX way.

Around the clock, across the globe. By Vladimir Legeza

Archive for the ‘LDAP’ Category

“! bad user” error for the LDAP (with TLS) account in /var/cron/log.

leave a comment »

The first of all, I found that each account should have a few objects of shadowAccount class. This is necessary because they are contains an information about account status (about expiration in this case).

objectClass: shadowAccount
shadowExpire:
shadowFlag:
0

After adding such objects for every single account, that might be used to perform tasks via cron daemon, I saw that these accounts become visible in shadow database as well as it was in passwd database before.

# ldaplist shadow mnt-indexer
dn: uid=mnt-indexer,ou=MNT Users,ou=Other Users,dc=rbcsoft,dc=ru
# ldaplist passwd mnt-indexer
dn: uid=mnt-indexer,ou=MNT Users,ou=Other Users,dc=rbcsoft,dc=ru

The second thing I found was that every process that makes request to LDAP with TLS trough pam_unix_account.so.1 should have a read access to the database that contains keys used to establish TLS connection (usually placed in /var/ldap in *.db files).
Read the rest of this entry »

Advertisements

Written by Vladimir Legeza

July 10, 2010 at 6:09 pm

Posted in LDAP, Solaris, Solaris

Tagged with , , ,