Account Usable Request Control (1.3.6.1.4.1.42.2.27.9.5.8)

[Charls <ct@0x01.net>]

Hello,

At the moment I'm working with the Sun Java System Directory Server. I 
would like to migrate to Openldap but of course without losing 
functionality. I enabled pam_ldap account management on all my Linux and 
Solaris computers and everything worked fine. Everyone could do 
nonpassword-based logins using tools such as rsh or ssh. This feature 
was provided by the "Account Usable Request Control" 
(1.3.6.1.4.1.42.2.27.9.5.8) from the Directory Server which is needed by 
the ldap_pam module from Solaris. After the installation from openldap 
on my Solaris server I recognized that nonpassword-based logins on the 
Solaris computers are not possible anymore. This problem [1] was 
discussed 2 years ago on "openldap-software@openldap.org" but there was 
no solution described. I would like to know if there is a way to get 
this feature enabled with openldap? If not what can i do else?

More technically: If a ssh client connects with public key 
authentication to a Solaris computer the pam module is sending a query 
to the ldap server if the account policies are handled by ldap to get 
all supportedControls and to check if the "Account Usable Request 
Control" exists to retrieve the policy data without the explicit login 
from the user.


Thanks in advance!


Charls


[1] http://www.openldap.org/lists/openldap-software/200710/msg00041.html