Account Management

If you select pam_krb5 as your account and password management system, the Kerberos environment will manage all your account, password, account lockout, and other account management details. Refer to pam_krb5(5) and the System Administration Guide: Security Services.

If you do not use pam_krb5, then LDAP naming services can be configured to take advantage of the password and account lockout policy support in Sun Java System Directory Server. You can configure pam_ldap(5) to support user account management. passwd(1) enforces password syntax rules set by the Sun Java System Directory Server password policy, when used with the proper PAM configuration.

The following account management features are supported through pam_ldap(5). These features depend on Sun Java System Directory Server's password and account lockout policy configuration. You can enable as many or as few of the features as you want.

• Password aging and expiration notification

  Users must change their passwords according to a schedule. A password expires if it is not changed within the time configured. An expired password causes user authentication to fail.

  Users see a warning message whenever they log in within the expiration warning period. The message specifies the number of hours or days until the password expires.

• Password syntax checking

  New passwords must meet the minimum password length requirements. In addition, a password cannot match the value of the uid, cn, sn, or mail attributes in the user's directory entry.

• Password in history checking

  Users cannot reuse passwords. If a user attempts to change the password to one that was previously used, passwd(1) fails. LDAP administrators can configure the number of passwords kept in the server's history list.

• User account lockout

  A user account can be locked out after a given number of repeated authentication failures. A user can also be locked out if his account is inactivated by an administrator. Authentication will continue to fail until the account lockout time is passed or the administrator reactivates the account.

The preceding account management features only work with the Sun Java System Directory Server. For information about configuring the password and account lockout policy on the server, see the “User Account Management” chapter in the Administration Guide for the version of Sun Java System Directory Server that you are using. Also see Example pam_conf file for pam_ldap Configured for Account Management. Do not enable account management for proxy accounts.

Before configuring the password and account lockout policy on Sun Java System Directory Server, make sure all hosts use the “newest” LDAP client with pam_ldap account management.

In addition, make sure the clients have a properly configured pam.conf(4) file. Otherwise, LDAP naming services will not work when proxy or user passwords expire.

Previously, if you enabled pam_ldap account management, all users needed to provide a login password for authentication any time they logged in to the system. Therefore, nonpassword-based logins using tools such as rsh, rlogin, or ssh would fail.

Now, however, pam_ldap(5), when used with Sun Java System Directory Servers DS5.2p4 and newer releases, enables users to log in with rsh, rlogin, rcp and ssh without giving a password.

pam_ldap(5) is now modified to perform account management and retrieve the account status of users without authenticating to Directory Server as the user logging in. The new control to this on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8, which is enabled by default.

To modify this control for other than default, add Access Control Instructions (ACI) on Directory Server:

dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid:1.3.6.1.4.1.42.2.27.9.5.8
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; 
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config

Account Management With pam_unix

Starting in the Solaris 10 10/09 release, the enableShadowUpdate switch is available. When enableShadowUpdate is set to true, LDAP offers the same functionality as the files naming service for account management.

If the enableShadowUpdate switch is set to true on the client, account management functionality that is available to local accounts is also available to LDAP accounts. Functionality includes password aging, account expiry and notification, failed login account locking, and so on. Also, the -dluNfnwx options to the passwd command are now supported in LDAP. Thus, the full functionality of the passwd command and the pam_unix* modules in the files naming service is supported in the LDAP naming service. The enableShadowUpdate switch provides a way to implement consistent account management for users who are defined in both the files and the LDAP scope.

To prevent users from modifying their own account management data and thereby circumventing password policy, the LDAP server is configured to prevent user write access to the user's own shadow data on the server. An administrator with admin credentials performs the shadow data updates for a client system. Such a configuration, however, conflicts with the pam_ldap module, which requires that passwords be modifiable by users. Therefore, account management by pam_ldap and pam_unix are incompatible.

Do not use both pam_ldap and pam_unix in the same LDAP naming domain. Either all clients use pam_ldap or all clients use pam_unix. This limitation might indicate that you need a dedicated LDAP server. For example, a web or email application might expect users to change their own password on the LDAP server.

The implementation of enableShadowUpdate also requires that the admin credential (adminDN plus adminPassword) be stored locally on every client. Even though adminPassword is encrypted and can only be read from the /var/ldap/ldap_client_cred file by the ldap_cachemgr daemon, special care must be taken to protect the admin credential. To protect the credential, make it different from the server's directory manager (cn=directory manager). Another protection would be to configure the serviceAuthenticationMethod with a value of tls:simple or better for the passwd-cmd service, so that the value of adminPassword is not sent in the clear and therefore becomes vulnerable to snooping.

Unlike using pam_ldap for account management, using pam_unix for account management does not require a change to the /etc/pam.conf file. The default /etc/pam.conf file is sufficient.