With pam_krb5 performing account and password management, the Kerberos environment manages all of the account, password, account lockout, and other account management details.
If you do not use pam_krb5, then configure the LDAP naming service to take advantage of the password and account lockout policy support in ODSEE. You can configure pam_ldap to support user account management. With the proper PAM configuration, the passwd command enforces password syntax rules set by the ODSEE password policy. However, do not enable account management for proxy accounts.
The following account management features are supported by pam_ldap. These features depend on the ODSEE password and account lockout policy configuration. You can enable the following account management features:
Password aging and expiration notification – Users must change their passwords according to a schedule. Otherwise, the password expires and user authentication fails.
Users are warned whenever they log in within the expiration warning period. The warning includes the remaining time before password expiration.
Password syntax checking – New passwords must meet the minimum password length requirements. A password must not match the value of the uid, cn, sn, or mail attributes in the user’s directory entry.
Password history checking – Users cannot reuse passwords. LDAP administrators can configure the number of passwords kept in the server’s history list.
User account lockout - A user account can be locked out after a specified number of repeated authentication failures. Users can also be locked out if their accounts are inactivated by an administrator. Authentication failure continues until the account lockout time is passed or the administrator reactivates the account.
These account management features work only with the ODSEE. For information about configuring the password and account lockout policy on the LDAP server, see Directory Server Password Policy in Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition. For an example of LDAP account management with the pam_ldap module, see Example 6, Sample pam.conf File Using the pam_ldap Module for Account Management.
Before configuring the password and account lockout policy on the ODSEE, make sure all hosts use the most recent version of the LDAP client with pam_ldap account management. Additionally, make sure the clients have a properly configured pam.conf file. Otherwise, the LDAP naming service fails when proxy or user passwords expire.
The LDAP naming service supports the full functionality of the passwd command and the pam_unix_* modules in the files naming service. If the enableShadowUpdate switch is enabled, account management functionality becomes available to both local accounts and LDAP accounts. The functionality includes password aging, account expiry and notification, and failed login account locking. Also, LDAP supports the –dluNfnwx options of the passwd command. The enableShadowUpdate switch enables the implementation of consistent account management for users who are defined in both the files and the LDAP scope.
The pam_ldap and the pam_unix_* modules are incompatible. The pam_ldap module requires that passwords be modifiable by users, but the pam_unix_* modules do not allow the users to modify passwords. Therefore, you cannot use the two modules together in the same LDAP naming domain. Either all clients use the pam_ldap module or all clients use the pam_unix_* modules. As a consequence of this limitation, you might need to use a dedicated LDAP server in cases where a web or email application, for example, might require users to change their own passwords on the LDAP server.
Implementing enableShadowUpdate also requires that the administrator credential (adminDN and adminPassword) is stored locally on every client in the svc:/network/ldap/client service.
Do not change the /etc/pam.conf file to use the pam_unix_* modules for account management. The default /etc/pam.conf file is sufficient.