LDAP - UNIX Solaris 10 - TS 6.7.1 authentication

We have installed TeamSite 6.7.1 on a Solaris 10 server which uses, for UNIX logins, an LDAP server (acting much like a NIS server).

This is supported under Solaris 10 and password authentication and account management are controlled from the NIS-LDAP global password policy.

However, when users try to connect to TeamSite, we get 'wrong username/password' returned and log in is not possible, unless the user logging in has an entry in /etc/passwd (ie is not a NIS-LDAP user - or is defined in both locations).

We want to enforce the password policy via our NIS-LDAP - and indeed this works for logins to the UNIX shell - for those users held on the NIS-LDAP. We do not want to enforce a policy for 'local' (/etc/passwd) users - these are mostly support engineers - and our UNIX administrators see the use of NIS-LDAP as removing the potential burden of maintaining such password policies from them.

We have tried changing the 'authentication_by=' parameters in 'iw.cfg' - but feel that changing this to LDAP is the wrong thing to do - since TeamSite users are held within TeamSite, the NIS-LDAP only being used for UNIX authentication. We have tried this anyway without success and have explored the use of PAM - but once again this doesn't seem to work.

Can anyone kindly advise how we might make this configuration work?

Find more posts tagged with

Comments

Adam Stoller

We have installed TeamSite 6.7.1 on a Solaris 10 server which uses, for UNIX logins, an LDAP server (acting much like a NIS server).

This is supported under Solaris 10 and password authentication and account management are controlled from the NIS-LDAP global password policy.

However, when users try to connect to TeamSite, we get 'wrong username/password' returned and log in is not possible, unless the user logging in has an entry in /etc/passwd (ie is not a NIS-LDAP user - or is defined in both locations).

We want to enforce the password policy via our NIS-LDAP - and indeed this works for logins to the UNIX shell - for those users held on the NIS-LDAP. We do not want to enforce a policy for 'local' (/etc/passwd) users - these are mostly support engineers - and our UNIX administrators see the use of NIS-LDAP as removing the potential burden of maintaining such password policies from them.

We have tried changing the 'authentication_by=' parameters in 'iw.cfg' - but feel that changing this to LDAP is the wrong thing to do - since TeamSite users are held within TeamSite, the NIS-LDAP only being used for UNIX authentication. We have tried this anyway without success and have explored the use of PAM - but once again this doesn't seem to work.

Can anyone kindly advise how we might make this configuration work?

Have you looked into applying TS671 SP1? (you only indicate the base installation of 671 in your post) - I believe that SP1 provides support for non-OS users, which sounds like what you're trying to do - yes?

Keep in mind though, that non-OS users requires significant changes to the way you handle PT processing and externaltasks in workflows as there is no impersonation done for non-OS users so you'll have to use XSLT instead of old-fashioned PT code, etc.

Or - have you tried using '*' in /etc/passwd for the password entry? I believe that forces the OS calls to then lookup the password in either /etc/shadow or through NIS / LDAP (I haven't done a lot with this in recent years, so I'm not sure of all the details)

LooseCannon

We have installed TeamSite 6.7.1 on a Solaris 10 server which uses, for UNIX logins, an LDAP server (acting much like a NIS server).

This is supported under Solaris 10 and password authentication and account management are controlled from the NIS-LDAP global password policy.

However, when users try to connect to TeamSite, we get 'wrong username/password' returned and log in is not possible, unless the user logging in has an entry in /etc/passwd (ie is not a NIS-LDAP user - or is defined in both locations).

We want to enforce the password policy via our NIS-LDAP - and indeed this works for logins to the UNIX shell - for those users held on the NIS-LDAP. We do not want to enforce a policy for 'local' (/etc/passwd) users - these are mostly support engineers - and our UNIX administrators see the use of NIS-LDAP as removing the potential burden of maintaining such password policies from them.

We have tried changing the 'authentication_by=' parameters in 'iw.cfg' - but feel that changing this to LDAP is the wrong thing to do - since TeamSite users are held within TeamSite, the NIS-LDAP only being used for UNIX authentication. We have tried this anyway without success and have explored the use of PAM - but once again this doesn't seem to work.

Can anyone kindly advise how we might make this configuration work?

Have you configured user_databases.xml to authenticate users against the LDAP database?

RoCo

Thanks for the responses. I'm only the 'Thinker's Labourer' for this so I'll pass your suggestions on to the UNIX technician when he gets back from holiday.

VBR