Hello I have been testing pam.conf with pam_ldap on build 61 of opensolaris, and have come up with two questions. I'm only looking to use the authentication part of pam, not account management/naming services. In other words, I've got my local accounts with usernames that correspond to uid values in an LDAP. I want to allow those accounts to auth with the LDAP credential. My nsswitch.conf file does not contain ldap as a source of information.
Based on the S10 naming service docs, I cam up with the following pam stack: ... login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_dial_auth.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 ... other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 ... For the most part, works as expected and I'm happy. Now onto the two questions I've come up with while testing... 1) No password accounts (passwd -N foousr resulting in NP in /etc/shadow) do not work as I thought they would. They are still allowed to login if they supply the correct LDAP credential. Users that are locked with *LK* in the shadow file are not allowed to login as expected. 2) lock_after_retries. On my test box I had this enabled for 3 failed logins. What I found was, even if I supply a valid LDAP credential, the failed login counter is incremented in the shadow file due to the pam_unix_auth touch. Therefore, 2 successful and valid logins using pam_ldap actually resulted in a failed login count of 2 for the user. I was able to work-around this in testing by either: a) adding nolock as an option to pam_unix_auth (which effectively disables lock_after_retries anyway, so why not just disable it if doing this) b) adding lock_after_retries=no to specific users in /etc/user_attr Am I using pam_ldap in a way it wasn't designed and are 1 and 2 above expected behavior? Many thanks for any feedback. This message posted from opensolaris.org
