Solaris 9 10 - pam.conf - LDAP - su - user login - DS 6.3.1

Similar Messages

• Secury LDAP with User Login

  Hi There,
  We have a LDAP directory with +1000 names addresses bla bla bla.
  But i just find out that it isnt protected with a password. Is it possible to protect the LDAP directory with the users from the open directory?
  gr maarten

  Hi Mark,
  Give this a try:
  $start = (Get-Date -Hour 00 -Minute 00 -Second 00).AddDays(-1)
  $end = (Get-Date -Hour 23 -Minute 59 -Second 59).AddDays(-1)
  $messages = Get-MessageTrackingLog -Server MyServer -EventID SEND -start $start -end $end
  $out = @()
  foreach ($msg in $messages) {
  $props = @{
  UPN = (Get-User $msg.Sender).UserPrincipalName
  TimeStamp = $msg.Timestamp
  EventId = $msg.EventId
  MessageId = $msg.MessageId
  Recipients = ($msg | Select -ExpandProperty Recipients) -join ','
  TotalBytes = $msg.TotalBytes
  MessageSubject = $msg.MessageSubject
  Sender = $msg.Sender
  $out += New-Object PsObject -Property $props
  $out | Sort MessageId -Unique | Export-Csv .\msgTracking.csv -NoTypeInformation
  Don't retire TechNet! -
  (Don't give up yet - 12,700+ strong and growing)

• Pam.conf does not use ldap for password length check when changing passwd

  I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
  I have dsee 6.0 installed on a solaris 10 server (client).
  I have a solaris 9 server (server) set up to use ldap authentication.
  bash-2.05# cat /var/ldap/ldap_client_file
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= X, Y
  NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
  NS_LDAP_AUTH= tls:simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= one
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= tls_profile
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_BIND_TIME= 10
  bash-2.05# cat /var/ldap/ldap_client_cred
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
  NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
  bash-2.05# cat /etc/nsswitch.conf
  # /etc/nsswitch.ldap:
  # An example file that could be copied over to /etc/nsswitch.conf; it
  # uses LDAP in conjunction with files.
  # "hosts:" and "services:" in this file are used only if the
  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
  passwd: files ldap
  group: files ldap
  # consult /etc "files" only if ldap is down.
  hosts: files dns
  ipnodes: files
  # Uncomment the following line and comment out the above to resolve
  # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
  # IPv4 addresses are searched in all of the ipnodes databases before
  # searching the hosts databases. Before turning this option on, consult
  # the Network Administration Guide for more details on using IPv6.
  #ipnodes: ldap [NOTFOUND=return] files
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: ldap
  automount: files ldap
  aliases: files ldap
  # for efficient getservbyname() avoid ldap
  services: files ldap
  sendmailvars: files
  printers: user files ldap
  auth_attr: files ldap
  prof_attr: files ldap
  project: files ldap
  bash-2.05# cat /etc/pam.conf
  #ident "@(#)pam.conf 1.20 02/01/23 SMI"
  # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1 debug
  login auth required pam_dhkeys.so.1 debug
  login auth required pam_dial_auth.so.1 debug
  login auth binding pam_unix_auth.so.1 server_policy debug
  login auth required pam_ldap.so.1 use_first_pass debug
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1 use_first_pass
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_auth.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1 use_first_pass
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authenctication
  other auth requisite pam_authtok_get.so.1 debug
  other auth required pam_dhkeys.so.1 debug
  other auth binding pam_unix_auth.so.1 server_policy debug
  other auth required pam_ldap.so.1 use_first_pass debug
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy debug
  passwd auth required pam_ldap.so.1 use_first_pass debug
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_projects.so.1
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1 debug
  other account required pam_projects.so.1 debug
  other account binding pam_unix_account.so.1 server_policy debug
  other account required pam_ldap.so.1 no_pass debug
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1 debug
  other password requisite pam_authtok_get.so.1 debug
  other password requisite pam_authtok_check.so.1 debug
  other password required pam_authtok_store.so.1 server_policy debug
  # Support for Kerberos V5 authentication (uncomment to use Kerberos)
  #rlogin auth optional pam_krb5.so.1 try_first_pass
  #login auth optional pam_krb5.so.1 try_first_pass
  #other auth optional pam_krb5.so.1 try_first_pass
  #cron account optional pam_krb5.so.1
  #other account optional pam_krb5.so.1
  #other session optional pam_krb5.so.1
  #other password optional pam_krb5.so.1 try_first_pass
  I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
  May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
  May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
  May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
  May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
  May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
  May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
  May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
  May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
  May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
  May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
  May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
  If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
  bash-2.05$ passwd
  passwd: Changing password for VV
  Enter existing login password:
  New Password:
  passwd: Password too short - must be at least 8 characters.
  Please try again
  May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
  May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
  May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
  May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
  May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
  May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
  May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
  I am using the default policy on the directory server which states a minimum password length of 6 characters.
  server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
  pwd-accept-hashed-pwd-enabled : N/A
  pwd-check-enabled : off
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 1d
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : off
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : off
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : disabled
  pwd-max-failure-count : 3
  pwd-max-history-count : disabled
  pwd-min-age : disabled
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : CRYPT
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : off
  pwd-strong-check-require-charset : lower
  pwd-strong-check-require-charset : upper
  pwd-strong-check-require-charset : digit
  pwd-strong-check-require-charset : special
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : off
  Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
  . It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
  I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
  Edited by: ericduggan on Sep 8, 2008 5:30 AM

  you can try passwd -r ldap for changing the ldap passwds...

• Solaris 10 Ldap Client user authentication against edirectory

  Hello,
  We have moved some of our oracle databases from linux to solaris 10 u7, I need to setup secure ldap authentication for the users against a linux based eDirectory server. Can some one point me in the right direction of good documentation or a good explaination on what i need and how to go about this.
  I have spent the last couple of days reading about pam, nsswitch.ldap nsswitch.conf and certificates now I need to pull all this information into a usable format.
  Thanks
  ukgreenman

  I have a similar question.
  Did you have a solution ?
  thanks

• Stacking Problem in pam.conf on Solaris 10 ?

  Hi all,
  I have pam.conf with enteries for
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  *other password required pam_dhkeys.so.1*
  *other password requisite pam_authtok_get.so.1*
  *other password requisite pam_authtok_check.so.1*
  *other password required pam_authtok_store.so.1*
  As per my understanding the
  (I) SPI pam_authtok_get.so.1 is used to get the user credentials from password DB.
  (II) SPI pam_authtok_check.so.1* is used to check if the new password supplied is satisfying the password policy on the OS ( by reading values from /etc/default/passwd )
  (III) SPI pam_authtok_store.so.1* is used to store the newly entered password to password db.
  Please correct me if I am wrong anywhere.
  Now I have a requirement thar an application has to be wriiten which will just check that the entered password satisfies the password policies of the OS or not, but it should not update the password DB(should not store the password)
  I make the following enteries in my pam.conf
  osPasswdCheck password required pam_dhkeys.so.1
  osPasswdCheck password requisite pam_authtok_get.so.1
  osPasswdCheck password requisite pam_authtok_check.so.1
  I removed the entry for pam_authtok_store.so.1 as I dont want to store the but when I run my application it always give error 20 authentication manipulation error.
  please refer (/usr/include/security/pam_appl.h)
  I have done all the formalities w.r.t writing a PAM Conversation funtion and the application is returning success when I add the pam_authtok_store.so.1 into the SPI
  Please anyone can help me out.Is there is anyother way with which I can use my application just to check password (w.r.t. OS policy) .
  I will be really thankful if anybody can provide me with working PAM Modules stack for achieving it.
  Thanks in advcance.
  Regards,
  Rahul.
  but I dont want to store it.

  Why not just keep the "pam_authtok_store.so.1" line in your pam.conf file and set it to a level of "requisite" or lower? I haven't tried it myself yet, but I've found that in the past when editing this file, completely removing a line rather than giving the PAM stack what it would expect to see with that line being there in some way can also cause problems.

• To disable user login on a solaris 10 server

  Hello Everybody
  I want to know how to disable further users login, if suppose there are 10 users already login on a server & I don't want any more user to login on a server without getting those exsisting users to logoff.
  Regards

  I suppose you could write a wrapper script that uses who to count the number of connections and then:
  touch /etc/nologin
  to disable further logons at some arbitrary number. Then you could stick the script into cron and let it do it's thing.
  alan

• Solaris 10 and LDAP Authentication

  Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
  I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
  My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
  I'am missing any steps?
  Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
  Message was edited by:
  automount
  Message was edited by:
  automount

  You may follow:
  http://web.singnet.com.sg/~garyttt/
  http://projects.alkaloid.net/content/view/15/26/
  http://blogs.sun.com/roller/resources/raja/ldap-psd.html
  http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
  http://www.thebergerbits.com/unix.shtml
  http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
  http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
  http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
  (LDAP related docs)
  Gary

• UW-Imap and pam.conf problem

  Hello
  I have a problem with uw-imap and pam.conf.
  On this site: http://www.washington.edu/imap/documentation/BUILD.html, by step 3 i have a problem.
  In Solaris 10, the directory /etc/pam.d/ do not exisist. It haves only the file pam.conf.
  But, i don't know, what i must read in this file.
  Can you help me? Please.
  Greetings

  you can try passwd -r ldap for changing the ldap passwds...

• Best Practice in maintaining multiple apps and user logins

  Hi,
  My company is just starting to use APEX, and none of us (the developers) have worked on this before either. It is greatly appreciated if we can get some help here.
  We have developed quite a few applications in the same workspace. Now, we are going to setup UAT and PRD environments and also trying to understand what the best practice is to maintain multiple apps and user logins.
  Many of you have already worked on APEX environment for sometime, can you please provide some input?
  Should we create multiple apps(projects) for one department or should we create one app for one department?
  Currently we have created multiple apps for one department, but, we are not sure if a user can login once and be able to access to all the authenticated apps.
  Thank you,
  LC

  LC,
  I am not sure how much of this applies to your situation - but I will share what I have done.
  I built a single 700+ page application for my department - other areas create separate smaller applications.
  The approach I chose is flexible enough to accomdate both.
  I built a separate access control application(Control) in its own schema.
  We use database authenication fo this app - an oracle account is required.
  We prefer to use LDAP for authentication for the user applications.
  For users that LDAP is not option - an encrypted password is stored - reset via email.
  We use position based security - priviliges are based on job functions.
  We have applications, appilcations have roles , roles have access to components(tabs,buttons,unmasked card numbers,etc.)
  We have positions that are granted application roles - they inherit access to the role components.
  Users have a name, a login, a position, and a site.
  We have users on both the East Coast and the West Coast, we use the site in a sys_context
  and views to emulate VPD. We also use the role components,sys_contexts and views to mask/unmask
  card numbers without rewriting the dependent objects(querys,reports,views,etc.)
  The position based security has worked well, when someone moves,
  we change the position they are assigned to and they immediately have the privileges they need.
  If you are interested I can rpovide more detail.
  Bill

• End User Login Message

  Hi Folks,
  Our production IDM setup has 3 IDM instances sharing the same repository. The IDM End user is used for setting passwords in IDM and LDAP.
  Recently, couple of users have reported this error while trying to log in into IDM end user login page.
  "Your password has expired for account xxxxxx. Please change it now.
  Item User:xxxxxx was not found in the repository, it may have been deleted in another session."
  I had seen an earlier posting on this but there were no answers. Does any have a clue why this happens?
  Any lead will be greatly appreciated.
  Thanks in advance!
  Suvesh

  Hi shivjansi,
  This is normal behavior for the service desk.  It gives end-users a limited UI compared to the ticket processors.  Unfortunately the features of the limited UI are hardcoded so you cannot configure the UI so that end-users get two tabs while a ticket processor gets all six tabs. This may change in SolMan 7.1, let's hope so
  SolMan determines if a user is an end-user by checking the auth object
    CRM_TXT_ID
        Activity <ACTVT>: 02
        Text ID <TEXTID>: SU15
  If the auth check for this auth object fails, then the user is considered to be an end-user and they get the limited UI.
  Good luck!
  Jon

• Active LDAP with Anonymous login

  hello all,
  We are using LDP as a method to authenticate users.
  How can we set up the Active LDAP with Anonymous login .
  Thanks in advance.

  It's not clear what you want to do.
  Do you want to set up LDAP for authentication?
  Or
  Do you want to set up a custom authentication scheme that tries to authenticate via LDAP and if unsuccessful, logs the user in as an anonymous user?

• Where are the ID and Password fields in End User Login ?

  Hi:
  I need to modifiy the ID / Password labels of the end-user login. I searched it in the WPMessages.properties, but i only find the variable UI_PWD_LABEL, and if i change it, it saw in the Admin Login but not in the User Login.
  Any idea?
  Thanks,
  MJ.

  Please tell us your first name and update your forum profile with it to help us. Thanks.
  The first process sets a convenience cookie with the value the user entered in the username field. This is a session cookie. The code is all there. It has nothing to do with the topic of your post.
  The Login process calls the apex login API. This performs authentication and does session registration and sets another cookie for session management.
  Where usernames and passwords are stored depends on the type of authentication you have chosen and this is recorded in the Authentication Function attribute of the authentication scheme. For Application Express authentication, the account information is in the table wwv_flow_fnd_user. You might also use your own tables for this, or LDAP, or SSO, ...
  Scott

• IPlanet web server auto restart when user login or logout the NT server

  Configuration
  - NT Server 4.0 SP6a
  - iPlanet Web Server 6.0 SP4
  - JDK 1.3.1_03
  - NT audit turned on for the file <iPlanet WS 60 instance home>/config/password.conf
  We encounter a problem that when a user login / logout NT machine, the iplanet web server would be restart automatically.
  Could somebody advise why this happen and how it can be solved?
  There is a box called "Allow service to interact with desktop" in the service startup menu. What is it means and did it related to the problem?

  I think you are running into this:
  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsunone%2F8322&zone_32=-Xrs%2A%20
  Thanks
  Manish

• Help with multiple user login script

  Hi, just a little background first to what i want to do...
  I have about 300 Macs in an education environment, they are bound to the AD network for authentication and OSX Server LDAP for forced prefs, the network Home accounts are stored via Apple and Promise Raids on XServes.
  We also have 4 local user accounts on all the Macs for video etc. I have some simple scripts that i would like to force to the local Users only, (empty trash, reset dock. reset desktop pics and delete items etc).
  I have done the script and saved it as a .app and it works on the Macs as a local User login option. However, when I bind the Mac back to the LDAP the local user script stops working. I have seen the option to 'Allow local scripts' to run via WGM, but have not had success here either, (I have ran the 2 EnableMCXLoginScripts on the clients).
  Now I thought I would try to run the script as a Launchdaemon option using Lingon. This works, but its active for all users, I do not want it to delete Network account users Desktops! Is there a way I can add an 'If' option at the beginning of my script. As in..'if users home account is /Network/Sharepoint' then quit.
  I cannot run it as a one script for all Mac setting as the different local users have different Desktop Pics and Docks etc
  Any ideas or other options I could try?
  Any help hugely appreciated.
  C

  V.K, thanks for that, sometimes I just don't see the obvious.
  I have tried it as a ~/Library/LaunchAgents using lingon to create the .plist. I just cannot get it to run though. I have tried it as a .sh .scpt and as a .app file stored in the /Users/Shared folder.
  All will run if I manually launch them after login though. I have made them all executable for all.
  I have also tried to run it without the Mac connected to my LDAP. I have added the relevant folders to the allow list in WGM on the lDAP anyway...
  Any ideas what I could be doing wrong?
  C

• How to change the DN of a user when provisioning to LDAP (iPlanet User)

  When I provision a new user to iPlanet User (LDAP) resource, it creates the account with DN = uid=<user login>,ou=people,dc=test,dc=com
  How can I change it so that it will create the account with DN = cn=<Fullname>, ou=people,dc=test,dc=com ?
  I don't see the DN field defined in the iPlanet User form.

  Is this a live environment? I would suggest setting this from the start, and not trying to change later. Most likely its using this prefix for both pre and post name so when you change it in the middle, one of them won't be found.
  -Kevin