System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

Configuring PAM

pam_ldap is one authentication and account management PAM module option for LDAP. See the pam_ldap(5) man page and Appendix A, Solaris 10 Software Updates to DNS, NIS, and LDAP for more information about the features currently supported with pam_ldap.

If you have selected both the per-user mode and the self credentials option, then you must also enable the PAM Kerberos pam_krb5(5) pam modules. See pam_krb5(5) and the System Administration Guide: Security Services documentation for further details.

Configuring PAM to Use UNIX policy

To configure PAM to use UNIX policy, follow the sample in Example pam.conf File for pam_ldap. Add the lines that contain to the client's /etc/pam.conf file. For details, see the pam.conf(4) man page.

Configuring PAM to Use LDAP server_policy

To configure PAM to use LDAP server_policy, follow the sample in Example pam_conf file for pam_ldap Configured for Account Management. Add the lines that contain to the client's /etc/pam.conf file. In addition, if any PAM module in the sample pam.conf file specifies the binding flag and the server_policy option, use the same flag and option for the corresponding module in the client's /etc/pam.conf file. Also, add the server_policy option to the line that contains the service module

Note –

Previously, if you enabled pam_ldap account management, all users needed to provide a login password for authentication any time they logged in to the system. Therefore, nonpassword-based logins using tools such as rsh, rlogin, or ssh would fail.

Now, however, pam_ldap(5), when used with Sun Java System Directory Servers DS5.2p4 and newer releases, enables users to log in with rsh, rlogin, rcp and ssh without giving a password.

pam_ldap(5) is now modified to perform account management and retrieve the account status of users without authenticating to Directory Server as the user logging in. The new control to this on Directory Server is, which is enabled by default.

To modify this control for other than default, add Access Control Instructions (ACI) on Directory Server:

dn: oid=,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; 
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config