PAM provides a way for applications to remain independent of authentication scheme used in the Solaris Operating Environment. By using the PAM layer, applications can perform authentication without worrying about what authentication method is defined by the system administrator for the given client. To use LDAP naming service, one of two pam modules can be configured in pam.conf: pam_unix(5) and pam_ldap(5).
When pam_unix is used, the traditional model of UNIX authentication is followed which means that the encrypted password of the user is retrieved from the directory to the local machine, the user is prompted for his password, user's password is encrypted, and finally the two encrypted passwords are compared to decide if the user should be authenticated or not. If clients using LDAP are configured with this module, the userPassword attribute must be readable by the identity that the client is using (anonymous or the configured proxy agent). Additionally, there are two more restrictions when using pam_unix:
The password must be stored in an attribute called userPassword.
The password must be stored in UNIX crypt format (not clear text or encrypted by other encryption methods).
Since the traditional method of authentication used by pam_unix is not necessarily the best option when deploying LDAP directories, a new PAM module was added in Solaris 8 which authenticates users directly to the directory instead. This will allow Solaris clients to work with newer and more advanced authentication methods that the directory server might support. By definition, clients using pam_ldap do not require read access to the password attribute, and they do not need the password to be stored in any specific format in the directory.
As an added benefit, because pam_ldap authenticates users directly to the directory server, user level access controls can be put in place to control an individuals' authentication using ACI's.
As with using pam_unix, use the passwd command to change a password.