LDAP naming services take advantage of the password and account lockout policy support bin Sun ONE Directory Server 5.1. You can configurepam_ldap(5) to support user account management. passwd(1) enforces password syntax rules set by the Sun ONE Directory Server password policy, when used with the proper PAM configuration.
The following password management features are supported through pam_ldap(5). These features depend on Sun ONE Directory Server 5.1's password and account lockout policy configuration. You can enable as many or as few of the features as you want.
Password aging and expiration notification
Users must change their passwords according to a schedule. A password expires if it is not changed within the time configured. An expired password causes user authentication to fail.
Users see a warning message whenever they log in within the expiration warning period. The message specifies the number of hours or days until the password expires.
Password syntax checking
New passwords must meet the minimum password length requirements. In addition, a password cannot match the value of the uid, cn, sn, or mail attributes in the user's directory entry.
Password in history checking
Users cannot reuse passwords. If a user attempts to change the password to one that was previously used, passwd(1) fails. LDAP administrators can configure the number of passwords kept in the server's history list.
User account lockout
A user account can be locked out after a given number of repeated authentication failures. A user can also be locked out if his account is inactivated by an administrator. Authentication will continue to fail until the account lockout time is passed or the administrator reactivates the account.
The preceding password management features only work with Sun ONE Directory Server 5.1 bundled with Solaris 9. For information about configuring the password and account lockout policy on the server, see the “User Account Management” chapter in the Sun ONE Directory Server 5.1 Administrator's Guide. Also see Example pam_conf file for pam_ldap Configured for Password Management.
Before configuring the password and account lockout policy on Sun ONE Directory Server 5.1, make sure all hosts use the “newest” LDAP client with pam_ldap password management. The “newest” version of the LDAP client is part of Solaris 9, update 2.
In addition, make sure the clients have a properly configured pam.conf(4) file. Otherwise, LDAP naming services will not work when proxy or user passwords expire.