The pam_ldap module is a PAM module option for LDAP to authenticate clients and to perform account management. If you configured the client profile's authentication mode as simple and the credential level as self, you must also enable the pam_krb module.
Refer to the following resources:
pam_ldap (5) man page
pam_krb5 (5) man page
Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2
The /etc/pam.conf file serves as the default configuration file for PAM to use UNIX policy. Typically, you do not need to introduce changes to this file.
However, if password aging and password policy as controlled by the shadow data are required, the client must be configured and run with the enableShadowUpdate switch. See Initializing an LDAP Client for an example of initializing an LDAP client to enable updating of shadow data.
For details about the configuration file, see the pam.conf (4) man page.
To configure PAM to use LDAP server_policy, refer to Example pam_conf File Using the pam_ldap Module for Account Management. Using that sample file, perform the following additional steps:
Add the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf file.
If any PAM module in the sample file specifies the binding flag and the server_policy option, use the same flag and option for the corresponding module in the client's /etc/pam.conf file.
Using the binding control flag allows a local password override of a remote (LDAP) password. For example, if a user account is found on both the local files and the LDAP namespace, the password associated with the local account takes precedence over the remote password. Thus, if the local password expires, authentication fails even if the remote LDAP password is still valid.
The server_policy option instructs pam_unix_auth, pam_unix_account, and pam_passwd_auth to ignore a user found in the LDAP namespace and to allow pam_ldap to perform authentication or account validation. In the case of pam_authtok_store, a new password is passed to the LDAP server without encryption. The password is then stored in the directory according to the password encryption scheme configured on the server. For more information, see pam.conf (4) and pam_ldap (5) .
Add the server_policy option to the line that contains the service module pam_authtok_store.so.1.
You can now perform account management and retrieve the account status of users without authenticating to Directory Server as the user is logging in.
The new control on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8. This control is enabled by default. To modify the default control configuration, add access control instructions (ACIs) on Directory Server. For example:
dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid:1.3.6.1.4.1.42.2.27.9.5.8 cn:Password Policy Account Usable Request Control aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; allow (read, search, compare, proxy) (groupdn = "ldap:///cn=Administrators,cn=config");) creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=server,cn=plugins,cn=config