The authentication method can be specified for a given service in the serviceAuthenticationMethod attribute. The following services currently support this.
This service is used by passwd(1) to change the login password and password attributes.
This service is used for authenticating users with pam_ldap(5).
pam_ldap supports account management.
If the service does not have a serviceAuthenticationMethod set, it will default to the value of the authenticationMethod attribute.
In per-user mode, pam_krb5 Service Module (pam Kerberos) is used as the authentication service. ServiceAuthenticationMethod is not needed in this mode of operation.
If the enableShadowUpdate switch is set to true, the ldap_cachemgr daemon binds to the LDAP server by using the authentication method that is defined in the serviceAuthenticationMethod parameter of passwd-cmd, if the method is defined. Otherwise, authenticationMethod is used. The daemon will not use the none authentication method.
The following example shows a section of a client profile in which the users will use sasl/digest-MD5 to authenticate to the directory server, but will use an SSL session to change their password.