Thanks Gary. I think the source of my problems is really in naming services, i.e. trying to fuse ldap authentication on top of file-based account authorization. nolock is working the way I understood it to work from the documentation, but my mistake was in thinking that lock_after_retries would work with pam_ldap to begin with.
Per Darren's suggestion, I think flipping the pam_ldap and pam_unix_auth in my stack may resolve the two situations I tried to describe. best, Scott This message posted from opensolaris.org
