System Administration Guide: Security Services

ProcedureHow to Specify a New Password Algorithm for an LDAP Domain

When the LDAP client is properly configured, the LDAP client can use the new password algorithms. The LDAP client behaves just as an NIS client behaves.

  1. Specify a password encryption algorithm in the /etc/security/policy.conf file on the LDAP client.

  2. Copy the modified policy.conf file to every client machine in the LDAP domain.

  3. Ensure that the client's /etc/pam.conf file does not use a pam_ldap module.

    Ensure that a comment sign (#) precedes entries that include Also, do not use the new server_policy option with the module.

    The PAM entries in the client's pam.conf file enable the password to be encrypted according to the local algorithms configuration. The PAM entries also enable the password to be authenticated.

    When users in the LDAP domain change their passwords, the LDAP client consults its local algorithms configuration in the /etc/security/policy.conf file. The LDAP client machine encrypts the password. Then, the client sends the encrypted password, with a {crypt} tag, to the server. The tag tells the server that the password is already encrypted. The password is then stored, as is, on the server. For authentication, the client retrieves the stored password from the server. The client then compares the stored password with the encrypted version that the client has just generated from the user's typed password.

    Note –

    To take advantage of password policy controls on the LDAP server, use the server_policy option with the pam_authtok_store entries in the pam.conf file. Passwords are then encrypted on the server by using the Sun JavaTM System Directory Server's cryptographic mechanism. For the procedure, see Chapter 11, Setting Up Sun Java System Directory Server With LDAP Clients (Tasks), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).