Configuring Linux User Management on non-OES2, SLES 10 Servers


Configuring OES 2 Linux servers for Linux User Management in a normal eDirectory tree is pretty much a no brainer. Configure your Unix Workstation object, enable your groups and users to be LUM enabled and that’s pretty much it. But, what about a SLES 10 server that is not running OES2? How can you provide a standard across all your SLES 10 servers to use the same eDirectory authentication for local access?

In this article, we will successfully configure LUM on a “non-OES2”, SLES 10 server to allow users in your eDirectory LUM enabled group, to authenticate to this server without having to create local accounts, using their eDirectory ID’s and passwords.

These are the steps we will use to accomplish this process:


The resources you will need to accomplish this, which isn’t that difficult or drawn out, are:

Admin equivalent rights, preferably, admin in the eDirectory tree you wish to base your authentication from.
Note: I say “admin” because this is stored in the Novell Account Management (nam) configuration and if you use your account and that account gets disabled, Heaven forbid, it could break this process.

The Open Enterprise Server 2 CD.

Root access to the SLES 10 server.

Installing Linux User Management Packages

I know this is a non-OES2 server, but there are a couple of packages we will need from the CD.
On the SLES 10 server, Run YaST and scroll down to the Software section. Choose Add-On CD.
Select CD, and place the CD in the drive when prompted. Once the CD is read, select “I Agree” and choose next.
Do not select any packages. Click Details and choose Search. In the field, type “lum” and click Go.
Select the following packages and click next:

Do not select YaST2-lum – That will require more eDirectory related packages and we will not be managing LUM through this server, that’s done on an OES2 server.

When the packages are done installing, exit YaST, remove your CD and open a command prompt or Terminal console.

Pluggable Access Modules (PAM) Configuration

Now that we have our Linux User Management packages installed and ready for activation, let’s configure the pam modules for LUM.

With your favorite VI editor, open and edit the file /etc/pam.d/login

Make the following changes and add the lines in Bold to this file:

auth     required
auth    required
# auth     include        common-auth
auth     required
auth    sufficient
auth    required
account  include        common-account
account  sufficient
password include        common-password
password  sufficient
session  include        common-session
session  required nowtmp
session  required
session  optional standard
session  optional

Save the file and exit.

Make the same changes to the following files:


If you have other options available, like ftp, make these changes to these file also.

Name Service Switch (nsswitch) Configuration

Modify the file /etc/nsswitch.conf and make the following changes:

Scroll down to where you see the following lines.

passwd: compat
group: compat

Add nam to the end of each to where they appear as noted below:

passwd: compat nam
group: compat nam

Save the file and exit back to the bash shell.

Configure Novell Account Management (namconfig)

Now, we are ready to configure the nam. At the prompt, enter the following command, substituting your own parameters as noted. An example will be listed.

namconfig add -a [youradmin fdn] -r [yourbasedn] -w [CxyouwantyourUnixObject] -S [edirectoryldapserver]:389 -l 636

-a cn=admin,o=novell Fully Distinguished Admin account, in LDAP format

-r o=novell Your Base search container

-w o=novell Container you want the Unix Object created in

-S Either the IP address, hostname, of your eDirectory server.

-l 636 Yes, that is a lowercase L

Using this, here’s how it will appear:

namconfig add -a cn=admin,o=novell -r o=novell -w o=novell -S -l 636

You will be prompted for the password to this account.

Check the output for errors. Common errors are not sufficient rights, unable to modify schema and unable to retrieve certificate. To avoid them, ensure the eDirectory LDAP server has the following:

Time is synchronized

At least a Read / Write replica of the root of the tree

When successful, review the file /etc/nam.conf for the above parameters. Make corrections and re-run namconfig.

Unix Workstation Object

We have to assign a LUM enabled group to the newly created Unix Workstation Object for this SLES server.
Launch iManager and login, with an admin equivalent account, to the tree.

Scroll down, on the left side, to Linux User Management, click it to expand. Find Modify Unix Workstation Object.

Browse the tree and select the Unix Workstation Object that has the SLES 10 server Host Name appended to it.

Click Add and browse the tree and locate the LUM group for your tree. Select it and add it. Click Apply and then OK, once your changes have been applied.

Exit iManager and return to the command prompt or terminal console on the SLES 10 server.

Now let’s restart the namcd and test it.
At the prompt, type the following to restart namcd

rcnamcd restart

If you get an error regarding certificates, type this command to refresh the certificates.

namconfig -k


From another PC, you should be able to ssh to this SLES 10 server with your Novell eDirectory credentials. If not, restart the namcd and then check the /var/log/messages file using tail to see if there are any errors. Check your /etc/pam.d/* files to see if there are any stray characters or misspelled words.


Although most of our SLES 10 servers are OES2 and reside in our main eDirectory tree, there are servers, like ZENworks Linux Management and Novell Identity Management servers that are not and I would still like to have a way to administer them without trying to remember that many accounts and passwords. This solution satisfies this need.

(Visited 1 times, 1 visits today)


  • ncisrael says:

    Thought about licensing. Now that you added a OES component, although small, its now licensed as OES and not SLES

  • slb985 says:

    We could only get this working by stopping the nscd service (rcnscd stop) which appeared to be on by default. Is this the correct thing to do??

  • mfaris01 says:

    I double checked my sles boxes and they have it running. Perhaps a restart of nscd is what is needed. If you stop it, can you still logon as root?

  • stevehume says:

    Hi there,

    I was working with slb985 (I prefer to call him Dave!) on the above. By default this didn’t run even after restarting nscd. A little further digging and we discovered that we had to edit /etc/nscd.conf and make “enable-cache-passwd no” and “enable-cache-group no” then restart nscd (rcnscd restart) and all was good.

  • mfaris01 says:

    Thank for the tip!


  • mmillecam says:

    We have had some comments regarding Novell support for Cool Solutions, especially with this issue. Please note that Cool Solutions are ideas, suggestions and helps from actual users of the Novell product.

    Novell does not support these suggestions. If you have questions, problems or thoughts on the article you should address them in a comment to that article or to the author and not to Novell.

    Note: Novell Support has noted with the above article that “customers who do not own LUM can not install this on SLES – which is part of issues with the Cool Solution”.

    Thank you,

  • Elfstone2 says:

    Hey Mike…

    Great article! I was wondering if you could update this for any changes you’ve encountered in the LUM modules since OES 2 SP1 has been released. I was about to attempt this until I realized that the lum and lum providers from OES2SP1 have many more dependancies (NLDAP, CIM, etc) than you had originally found to be the case. Wasn’t sure if that would also mean more changes to the PAM section too.

    Stefan Evans
    Gulfstream Aerospace

  • Leave a Reply

    Your email address will not be published. Required fields are marked *