Step 9 Setting Password Read Permission for proxyagent
If pam_unix is used to authenticate Solaris users (as recommended) the cn=proxyagent DN, with which the Solaris LDAP client binds to the server, must be granted read permission for user account passwords. To perform this operation through the Directory Console, follow these steps:
1. Click the right mouse button on the top-level object, then choose Set Access Permissions from the pull-down menu and add the following data:
■ User/Group- cn=proxyagent, ou=profile (use Add User to List)
■ Rights-compare, read, search
Under ACI Attributes
■ ACI Name - allow-read-password (or any descriptive name)
■ Target Attribute(s) - userPassword
2. When done click OK.
An LDIF file can also be used to change the ACI. For example: dn: dc=blueprints, dc=com changetype: modify add: aci aci: (target="ldap:///dc=blueprints,dc=com") (targetattr="userPassword")
(version 3.0; acl "password read"; allow (compare,read,search)
userdn = "ldap:///cn=proxyagent,ou=profile,dc=blueprints,dc=com"; )
Post a comment