Here is my pam.conf file I have installed in global and all my zones. # #ident "@(#)pam.conf 1.29 07/04/10 SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth binding pam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth binding pam_passwd_auth.so.1 server_policy passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account binding pam_unix_account.so.1 server_policy other account required pam_ldap.so.1 other account required pam_tsol_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 server_policy # # dtlogin account requisite pam_roles.so.1 dtlogin account required pam_unix_account.so.1 # # gdm account requisite pam_roles.so.1 gdm account required pam_unix_account.so.1 # # dtsession account requisite pam_roles.so.1 dtsession account required pam_unix_account.so.1 # # xscreensaver account requisite pam_roles.so.1 xscreensaver account required pam_unix_account.so.1 # # passwd account requisite pam_roles.so.1 passwd account required pam_unix_account.so.1 # # dtpasswd account requisite pam_roles.so.1 dtpasswd account required pam_unix_account.so.1 # tsoljds-tstripe account requisite pam_roles.so.1 tsoljds-tstripe account required pam_tsol_account.so.1
---------------------------- I have set up a global password policy in DSCC that has the following enable: Password Reset User-Changeable Password Reuse Password Expiration Expiration Warning Grace Login Password Storage Schema Password Syntax Checking Minimum Password Length Administrative Users Password Strong Check Account Lockout Failures Before Lockout Failure Count Reset Lockout Duration I have assigned the Global Password Policy to all my users. To test I changed the date on the LDAP Server to fall before the Password Expiration date and after the Expiration warning date. Then I logged in with an LDAP user expecting to see a warning that my password was getting ready to expire but it didn't happen. I'm able to change the password. I recieve messages when I try to reuse an old password and I receive messages when I try to reuse the same password. I'm not sure where these message are coming from, but I would assume LDAP because these are LDAP users. The reason I made this post to Open Solaris is because we have a number of cases that have been opened with Sun Servcies concerning LDAP (DSEE) and Solaris 10 Trusted Extensions and have not been givin a fix for any. I thought I would try this forum to see if I could get some kind of response from someone who may being using LDAP (DSEE) with Solaris 10 Trusted Extensions. If there is a better forum for me to post on concerning LDAP (DSEE) let me know. I have not seen a forum specifically for LDAP. I will go ahead and open another case with Sun Services concerning this issue. Is LDAP (DSEE) and Solaris 10 Trusted Extensions being used together much? Thanks for the reply This message posted from opensolaris.org
