System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

Configuring PAM to Use LDAP server_policy

To configure PAM to use LDAP server_policy, follow the sample in Example pam_conf file for pam_ldap Configured for Account Management. Add the lines that contain to the client's /etc/pam.conf file. In addition, if any PAM module in the sample pam.conf file specifies the binding flag and the server_policy option, use the same flag and option for the corresponding module in the client's /etc/pam.conf file. Also, add the server_policy option to the line that contains the service module

Note –

Previously, if you enabled pam_ldap account management, all users needed to provide a login password for authentication any time they logged in to the system. Therefore, nonpassword-based logins using tools such as rsh, rlogin, or ssh would fail.

Now, however, pam_ldap(5), when used with Sun Java System Directory Servers DS5.2p4 and newer releases, enables users to log in with rsh, rlogin, rcp and ssh without giving a password.

pam_ldap(5) is now modified to perform account management and retrieve the account status of users without authenticating to Directory Server as the user logging in. The new control to this on Directory Server is, which is enabled by default.

To modify this control for other than default, add Access Control Instructions (ACI) on Directory Server:

dn: oid=,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; 
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config