Password Management

LDAP naming services take advantage of the password and account lockout policy support in Sun ONE Directory Server. You can configure pam_ldap(5) to support user account management. passwd(1) enforces password syntax rules set by the Sun ONE Directory Server password policy, when used with the proper PAM configuration.

The following password management features are supported through pam_ldap(5). These features depend on Sun ONE Directory Server's password and account lockout policy configuration. You can enable as many or as few of the features as you want.

• Password aging and expiration notification

  Users must change their passwords according to a schedule. A password expires if it is not changed within the time configured. An expired password causes user authentication to fail.

  Users see a warning message whenever they log in within the expiration warning period. The message specifies the number of hours or days until the password expires.

• Password syntax checking

  New passwords must meet the minimum password length requirements. In addition, a password cannot match the value of the uid, cn, sn, or mail attributes in the user's directory entry.

• Password in history checking

  Users cannot reuse passwords. If a user attempts to change the password to one that was previously used, passwd(1) fails. LDAP administrators can configure the number of passwords kept in the server's history list.

• User account lockout

  A user account can be locked out after a given number of repeated authentication failures. A user can also be locked out if his account is inactivated by an administrator. Authentication will continue to fail until the account lockout time is passed or the administrator reactivates the account.

The preceding password management features only work with the Sun ONE Directory Server version bundled with Solaris 9. For information about configuring the password and account lockout policy on the server, see the “User Account Management” chapter in the Administration Guide for the version of Sun ONE Directory Server that you are using. Also see Example pam_conf file for pam_ldap Configured for Password Management. Do not enable password management for proxy accounts.

Before configuring the password and account lockout policy on Sun ONE Directory Server, make sure all hosts use the “newest” LDAP client with pam_ldap password management.

In addition, make sure the clients have a properly configured pam.conf(4) file. Otherwise, LDAP naming services will not work when proxy or user passwords expire.