The following pam_ldap changes are new in the Solaris Express 10/04 release, except for the account management feature. This management feature is new in the Software Express pilot program and in the Solaris 9 12/02 release. See the pam_ldap(5) man page for more information about these changes.
The previously supported use_first_pass and try_first_pass options are obsolete as of this Solaris 10 software release. These options are no longer needed. The options can safely be removed from pam.conf, and are silently ignored.
Password prompting must be provided for by stacking pam_authtok_get before pam_ldap in the authentication and password module stacks, and by including pam_passwd_auth in the passwd_service_auth stack.
The previously supported password update function is replaced in this release by the use of pam_authtok_store with the server_policy option.
The pam_ldap account management feature strengthens the overall security of the LDAP Naming Service. Specifically, the account management feature does the following:
Allows for tracking password aging and expiration
Prevents users from choosing trivial or previously used passwords
Warns users if their passwords are about to expire
Locks out users after repeated login failures
Prevents users other than the authorized system administrator from deactivating initialized accounts
A clean, automated update cannot be provided for the changes in the previous list. Therefore, an upgrade to a Solaris 10 or subsequent release cannot automatically update the existing pam.conf file to reflect the pam_ldap changes. If the existing pam.conf file contains a pam_ldap configuration, the CLEANUP file notifies you after the upgrade. Examine the pam.conf file and modify it, as needed.
See the following man pages for further information:
For further information about Solaris naming and directory services, see the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). For information about Solaris security features, see the System Administration Guide: Security Services.