Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Step 4: Configuring a Solaris Host to Use PAM

After configuring the LDAP store, you must configure a Solaris system and create a PAM client to test the viability of PAM-based authentication.

To configure a Solaris host and create a PAM client you must

  1. Install and configure a test Solaris system.

  2. Configure the client machine.

  3. Specify new rules for authentication and password management.

    To illustrate this process, example instructions are provided in the next three sections.

Installing and Configuring a Solaris Test System

Install and configure a test Solaris system as an independent, standalone machine.

Note –

To simplify this example, consider configuring a machine that is devoid of any naming service directives (such as NIS or NIS+).

Consider using a Solaris 9 x86 4/04 system, which contains patches required for PAM and its associated subsystems.

Configuring the Client Machine

The following example instructions assume that you installed and configured the Solaris host as described in the previous section.

You must configure a PAM client machine to locate the LDAP host with a repository that the client will use to access (and effectively change) the LDAP store. To configure the PAM client, use the Solaris ldapclient command, which stores the client’s configuration information on the local host.

Note –

Be sure to make a back-up copy of the /etc/nsswitch.conf file before you run the ldapclient command. Running ldapclient has several side effects— which includes completely replacing the system’s /etc/nsswitch.conf file with a copy of the content in /etc/nsswitch.ldap.

The following image illustrates an example ldapclient command:

Figure A–1 Example ldapclient Command

Example ldapclient Command

Specifying Rules for Authentication and Password Management

Note –

The example instructions provided in this section assume that you installed and configured the Solaris host as described in the Installing and Configuring a Solaris Test System section.

When you configure a Solaris host to use PAM, change the /etc/pam.conf file to incorporate the new rules you want it to use for authentication and password management. (See Introducing Windows NT into the configuration for an example /etc/pam.conf file.)

Before making any changes to the /etc/pam.conf file, be sure you make a backup copy of the original /etc/pam.conf file. Changes made to the /etc/nsswitch.conf and the /etc/pam.conf files can render your PAM client host inaccessible, which means that your configuration is set to deny everyone’s (including root) authentication access to the machine.

To recover from this situation:

  1. Edit the pam.conf file in the current terminal/command session.

  2. In a new terminal window, try connecting to the localhost using the rsh or ssh command and then try logging in.

    • If you fail to authenticate, you can still correct the problem using the open terminal/command window from .

    • If you are still unable to recover, restore the /etc/nsswitch.conf and /etc/pam.conf files back to their original state.

      Using the Solaris sys-unconfig command may not restore your system because this command does not affect the /etc/nsswitch.conf and /etc/pam.conf files.

  3. Repeat the steps 1 and 2 until you achieve the expected system behavior.

    The changes you must make to /etc/pam.conf are trivial, but important. They are explained here:


For purposes of authentication, you must edit the file as follows:

  1. Locate any entries in the original /etc/pam.conf file that direct the system to use a rule requiring PAM_UNIX_AUTH, and edit them to accept a binding directive and to pass the server_policy parameter to the PAM_UNIX_AUTH module.

    The following figure shows a diff between the original /etc/pam.conf file and the edited file.

    Edited /etc/pam.conf File
  2. Edit the file to add a new rule after the altered rule line. (the /etc/pam.conf file is processed from the top down, the line’s order is important here.)

    The new rule requires the service to include PAM_LDAP when deciding to accept an authentication request. The use_first_pass parameter tells the PAM_LDAP module that it must accept a password collected by an earlier rule’s module (usually satisfied by the PAM_AUTHTOK_GET module).

    Note –

    A use case that deserves special consideration is how PAM treats local user log on. A local user is a user who is permitted by /etc/nsswitch.conf directives to examine files (such as the root account) and is enumerated in the /etc/passwd file. Local users are not necessarily stored in the LDAP store.

    Allowing the root user to be listed in the LDAP store would simplify management of an important user account that spans the topology; however, you could make an equally powerful case for systems whose root user must be kept "private" for a given machine.

    To accommodate the need to keep an account (such as root) as a local user, it is important to configure PAM in such a way so that it does not access the LDAP back-end store if the user information has been saved in the local files. You can address this situation by specifying the server_policy parameter for the PAM_UNIX_AUTH module in the /etc/pam.conf configuration file.

Password Management

The only effective change required for password management is to append the server_policy parameter to the PAM_AUTHTOK_STORE module. When you use the server_policy parameter, the module will update passwords for local users (if found) or access the LDAP store accordingly. If the module cannot find a user either locally or in the LDAP store, then the system will provide an appropriate error message.

When you have finished configuring the Solaris host, continue to Step 5: Verifying that PAM is Interoperating with the LDAP Store.