Configuring the Directory Server to Enable Password Management

See the “User Account Management” chapter in the Sun ONE Directory Server 5.1 Administrator's Guide for how to use the Directory Server Console or ldapmodify to configure the password management policy for the LDAP directory. In order for pam_ldap to work properly, the password and account lockout policy must be properly configured on the server.

Passwords for proxy users should never be allowed to expire. If proxy passwords expire, clients using the proxy credential level cannot retrieve naming service information from the server. To ensure that proxy users have passwords that do not expire, modify the proxy accounts with the following script.

# ldapmodify -h ldapserver —D administrator DN \
 -w  administrator password <<EOF 
 dn: proxy user DN
 DNchangetype: modify
 replace: passwordexpirationtime 
 passwordexpirationtime: 20380119031407Z 
 EOF

pam_ldap password management relies on Sun ONE Directory Server 5.1 to maintain and provide password aging and account expiration information for users. The directory server does not interpret the corresponding data from shadow entries to validate user accounts. pam_unix, however, examines the shadow data to determine if accounts are locked or if passwords are aged. Since the shadow data is not kept up to date by the LDAP naming services or the directory server, pam_unix should not grant access based on the shadow data. The shadow data is retrieved using the proxy identity. Therefore, do not allow proxy users to have read access to the userPassword Attribute. Denying proxy users read access to userPassword prevents pam_unix from making an invalid account validation.