We are trying to configure LDAP to perform Account Management. Overall this has been a success with some small but major problems. We can not get the default password policy to work on User Accounts. The User is NOT locked out after the configured minimum tries. Has anyone seen this problem or fixed it before? Below is a list of tasks we are going to perform. Any help would be greatly appreciated.
Plan A: Modify the /etc/pam.conf file by changing lines that look like "<service> auth required pam_unix_auth.so.1" to "<service> binding pam_unix_auth.so.1 server_policy". Also adding a line below this line for each required <service> is "<service> auth required pam_ldap.so.1" According to Sun documentation, this setup is supposed to enable LDAP user "Password Management" for LDAP clients. I have tried Plan A and it has not yet been successful. Plan B: Other users on forums suggest commenting out all of the lines in pam.conf which reference the pam module pam_unix_auth.so.1. The only problem with this configuration is that local accounts setup in the /etc/passwd file will no longer work, including root. This is a bad idea, but I may use it as an interim step to test whether pam_ldap.so.1 module works as expected. Plan C: Also in several forums I have read, and one Elton pointed me to suggested that we change the access control for the proxy agent, this will prevent the pam_unix_auth from being able to read user passwords and compare the hash value with what the user entered and succeeding, before pam_ldap.so.1 has a chance to authenticate. Alternatively, we could place pam_ldap.so.1 in the stack before pam_unix_auth.so.1. However, this would also result in local users not being able to log in (we currently have this problem on the JSWAN). Plan D: This relies on getting one of the other plans B or C to work, we can then implement some software Hank wrote called pam_shared_account. This has the ability to intercept requests to login as root user (or other specified users) and fork to a different pam stack. In other words, treat root as a special user allowing it to use pam_unix_auth.so.1 and forcing all other users to use pam_ldap.so.1. This message posted from opensolaris.org
