PAM Admin And PAM User Setup#

Changes to DIT#

dn: ou=unix,ou=Groups,dc=willeke,dc=com#

A container to hold any unix specific groups.

dn: ou=profiles,ou=unix,ou=Groups,dc=willeke,dc=com#

A container to hold DUAConfigProfile's.

Rights needed assigned to this container so that the pamAdminGroup can create/delete/modify entries.

ACL: 1#subtree#cn=pam,ou=unix,ou=Groups,dc=willeke,dc=com#[Entry Rights]
ACL: 3#subtree#cn=pam,ou=unix,ou=Groups,dc=willeke,dc=com#[All Attributes Rights]
ACL: 1#subtree#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#[Entry Rights]
ACL: 3#subtree#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#[All Attributes Rights]
ACL: 15#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#[Entry Rights]
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#[All Attributes Rights]

dn: ou=unix,ou=Applications,dc=willeke,dc=com#

A container to hold any UNIX related application items. Only the cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com entry is known at this time.

Rights needed assigned to this container so that the pamAdminGroup can create/delete/modify entries.

ACL: 15#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#[Entry Rights]
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#[All Attributes Rights]

Users and Groups#

dn: cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#

Rights needed assigned to this container so that the pamAdminGroup can create/delete/modify entries.

ACL: 15#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#[Entry Rights]
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#[All Attributes Rights]

DirXML driver changes will need to be made to allow sync on all attributes required.#

Posix attributes need to be added to filter.

This group requires rights to be able to modify attributes for PAM communications on users and profiles.

dn: cn=pamAdmin,ou=Administration,dc=willeke,dc=com#

This user entry is so someone in the Tree and modify poasix attributes. The entry is a member of the pamAdminGroup and has no other rights assigned.

dn: cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#

The PAM user is to be used by UNIX clients to access the LDAP tree. This user will be explicitly assigned the rights necessary for the PAM_LDAP clients to be able to operate. This will prevent any changes in current assignments to public or container from interferring with the PAM_LDAP operation.

This entry needs to only read posix attribute values on users and groups.

This entry must have a non-expiring password.

Rights To: dn: dc=willeke,dc=com#

The PAM user and pamAdminGroup will need rights to various attributes for all users and groups in the tree. The ACL settings below will set the rights for these entries. Placing this at the dc=willeke,dc=com container allows fewerrights assignments; but they could be assigned to ou=groups and ou=people.

Basiclly, the pam user needs to read and the pamAdminGroup needs to be able to update the attribute values.

ACL: 3#subtree#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#member
ACL: 3#entry#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#[All Attributes Rights]
ACL: 3#subtree#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#[All Attributes Rights]
ACL: 1#subtree#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#[Entry Rights]
ACL: 3#subtree#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#gecos
ACL: 3#subtree#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#gidNumber
ACL: 3#subtree#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#loginShell
ACL: 3#subtree#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#memberUid
ACL: 3#subtree#cn=pam,ou=unix,ou=Applications,dc=willeke,dc=com#uidNumber
ACL: 3#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#[All Attributes Rights]
ACL: 1#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#[Entry Rights]
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#gecos
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#gidNumber
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#host
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#loginShell
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#uidNumber
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#shadowExpire
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#shadowFlag
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#shadowInactive
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#shadowLastChange
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#shadowMax
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#shadowMin
ACL: 7#subtree#cn=pamAdminGroup,ou=Administration,dc=willeke,dc=com#shadowWarning

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 07-Apr-2011 10:46 by jim