Did anyone extend the Domino User schema to hold the data neccessary (gid, uid, uidnumber, loginfield, userpassword) so that a linux (eg rh8) or solaris 2.9 system can be successfully authenticate system logins (pam, ssh) against it.

Is there a practicing guide out how to do it with domino.

With openldap it’s no problem, but for domino there is a step-by-step guide missing how it shall be done.

All I found in this forum up to now to for this kind of question does not reveal any success stories…

Where else can I look for HOWTO’s etc?

The Domino Admin LDAP doc alone is not sufficient.

If it’s possible with openldap it should be also possible for domino…

bye, Bruno

Subject: LDAP for Solaris/linux user authentication??!

I’m very interested in any results regarding this topic. Having an integrated environment is a must have feature.I’d like to have a single logon feature throughout the entire organization.

If someone has a few more insights or pointers on this, please share your knowledge.

Uwe

Subject: LDAP for Solaris/linux user authentication??!

Please share your experiences if you get the setup running. I think a lot of people would appreciate.

Subject: LDAP for Solaris/linux user authentication??!

I found this and it might be of use to you and a couple of others here playing with Linux, Samba, PAM etc.:

http://www.openntf.org/projects/pmt.nsf/HomeLookup/2C7B9238190CDED588256D09003D2536?OpenDocument

Additional info on integrating SAMBA and OpenLDAP that might be useful for Domin as well:

http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html#samba.schema

Some notes on my progress on a slightly different approach to the problem. I got the underlying Linux authentication system to look to Domino for credentials, it will then work for anything that supports PAM (pluggable authentication modules). I was working on getting CVS running, there are some political battles in the CVS team which mean that the official version of CVS does not support PAM, but it can be patched to do so quite easily (I managed it so it can’t be that hard.)

To act as an authentication server Domino must support the posixAccount Schema and the posixGroup Schema.

add a subform to your domino directory I called mine “LDAP posixAccount Schema”

add the following fields: note all are text, do not for a moment consider making the UIDNumber and GIDnumber numeric. if you do, then you are stuffed as the UNK table gets the wrong datatype .

UIDNumber - text!!! editable, default value something to create a unique number, I used “@Text(@Integer(1000+(@Random*1000)))”

GIDNumber - text!!! computed formula is “UIDNumber”

home directory - editable, default value “/home/”+@LowerCase(shortname)"

login shell - editable, default value “/bin/bash”

$objectclass - computed, allow multiple values, “posixAccount”:“posixGroup”

add your subform to the existing subform $PersonExtensibleSchema

refresh a few person documents

go to your server console and type tell ldap reload schema.

you now have a nicely configured LDAP server.

on the client side (that is your linux machine)

open a couple of root shells, leave them open. you could lock yourself out in this process.

edit /etc/ldap.conf only the following lines should be uncommented:

host www.yourserver.com

binddn cn=Jean-Luc Picard,o=Enterprise

bindpw=makeitso

rootbinddn cn=Jean-Luc Picard,o=Enterprise

pam_password clear

ssl no

replace the bold stuff with a user and password that can read your NAB but not much else.

echo makeitso>/etc/ldap.secret

run authconfig, or edit /etc/pam.d/system-auth, mine looks like this:

#%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required /lib/security/pam_env.so

auth sufficient /lib/security/pam_unix.so likeauth nullok

auth sufficient /lib/security/pam_ldap.so use_first_pass

auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so

account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so