Configuring the Directory Server to Enable Account Management
Account management can be implemented for clients that use pam_ldap and for clients that use the pam_unix_* modules.
 | Caution - Do not use both the pam_ldap and pam_unix_* modules in the same LDAP naming domain. Either all clients use pam_ldap or all clients use the pam_unix_* modules. This limitation might indicate that you need a dedicated LDAP server. |
Account Management for Clients That Use the pam_ldap Module
In order for pam_ldap to work properly, the password and account lockout policy must be properly configured on the server. You can use the Directory Server Console or ldapmodify to configure the account management policy for the LDAP directory. For procedures and more information, see the "User Account Management" chapter in the administration guide for the version of Oracle Directory Server Enterprise Edition that you are using.
Note - Previously with pam_ldap account management, all users needed to provide a login password for authentication whenever they log in to a system. Consequently, non-password based logins that used tools such as ssh would fail.
You can now perform account management and retrieve the account status of users without authenticating to Directory Server as the user is logging in.
The new control on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8. This control is enabled by default. To modify the default control configuration, add access control instructions (ACIs) on Directory Server. For example:
dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid:1.3.6.1.4.1.42.2.27.9.5.8 cn:Password Policy Account Usable Request Control aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; allow (read, search, compare, proxy) (groupdn = "ldap:///cn=Administrators,cn=config");) creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=server,cn=plugins,cn=config
Passwords for proxy users should never be allowed to expire. If proxy passwords expire, clients using the proxy credential level cannot retrieve naming service information from the server. To ensure that proxy users have passwords that do not expire, modify the proxy accounts with the following script.
# ldapmodify -h ldapserver -D administrator_DN \ -w administrator-password <<EOF dn: proxy-user-DN DNchangetype: modify replace: passwordexpirationtime passwordexpirationtime: 20380119031407Z EOF
Note - pam_ldap account management relies on Oracle Directory Server Enterprise Edition to maintain and provide password aging and account expiration information for users. The directory server does not interpret the corresponding data from shadow entries to validate user accounts. The pam_unix_* modules, however, examine the shadow data to determine if accounts are locked or if passwords are aged. Because the shadow data is not kept up to date by the LDAP naming service or the directory server, the modules should not grant access based on the shadow data. The shadow data is retrieved using the proxy identity. Therefore, do not allow proxy users to have read access to the userPassword attribute. Denying proxy users read access to userPassword prevents the PAM service from making an invalid account validation.
Account Management for Clients That Use the pam_unix_* Modules
To enable LDAP clients to use the pam_unix_* modules for account management, the server must be set up to enable the updating of shadow data. Unlike pam_ldap account management, the pam_unix_* modules do not require extra configuration steps. All configuration can be performed by running the idsconfig utility.
The following example shows the output of two idsconfig runs.
The first idsconfig run uses an existing client profile.
# /usr/lib/ldap/idsconfig It is strongly recommended that you BACKUP the directory server before running idsconfig. Hit Ctrl-C at any time before the final confirmation to exit. Do you wish to continue with server setup (y/n/h)? [n] y Enter the JES Directory Server's hostname to setup: myserver Enter the port number for DSEE (h=help): [389] Enter the directory manager DN: [cn=Directory Manager] Enter passwd for cn=Directory Manager : Enter the domainname to be served (h=help): [west.example.com] Enter LDAP Base DN (h=help): [dc=west,dc=example,dc=com] Checking LDAP Base DN ... Validating LDAP Base DN and Suffix ... sasl/GSSAPI is not supported by this LDAP server Enter the profile name (h=help): [default] WestUserProfile Profile 'WestUserProfile' already exists, it is possible to enable shadow update now. idsconfig will exit after shadow update is enabled. You can also continue to overwrite the profile or create a new one and be given the chance to enable shadow update later.
Just enable shadow update (y/n/h)? [n] y Add the administrator identity (y/n/h)? [y] Enter DN for the administrator: [cn=admin,ou=profile,dc=west,dc=example,dc=com] Enter passwd for the administrator: Re-enter passwd: ADDED: Administrator identity cn=admin,ou=profile,dc=west,dc=example,dc=com. Proxy ACI LDAP_Naming_Services_proxy_password_read does not exist for dc=west,dc=example,dc=com. ACI SET: Give cn=admin,ou=profile,dc=west,dc=example,dc=com read/write access to shadow data. ACI SET: Non-Admin access to shadow data denied. Shadow update has been enabled.
The second idsconfig run creates a new profile for later use. Only partial output is displayed.
# /usr/lib/ldap/idsconfig It is strongly recommended that you BACKUP the directory server before running idsconfig. Hit Ctrl-C at any time before the final confirmation to exit. Do you wish to continue with server setup (y/n/h)? [n] y Enter the JES Directory Server's hostname to setup: myserver Enter the port number for DSEE (h=help): [389] Enter the directory manager DN: [cn=Directory Manager] Enter passwd for cn=Directory Manager : Enter the domainname to be served (h=help): [west.example.com] Enter LDAP Base DN (h=help): [dc=west,dc=example,dc=com] Checking LDAP Base DN ... Validating LDAP Base DN and Suffix ... sasl/GSSAPI is not supported by this LDAP server Enter the profile name (h=help): [default] WestUserProfile-new Default server list (h=help): [192.168.0.1] . . . Do you want to enable shadow update (y/n/h)? [n] y
Summary of Configuration 1 Domain to serve : west.example.com 2 Base DN to setup : dc=west,dc=example,dc=com Suffix to create : dc=west,dc=example,dc=com 3 Profile name to create : WestUserProfile-new . . . 19 Enable shadow update : TRUE . . . Enter DN for the administrator: [cn=admin,ou=profile,dc=west,dc=example,dc=com] Enter passwd for the administrator: Re-enter passwd: WARNING: About to start committing changes. (y=continue, n=EXIT) y 1. Changed timelimit to -1 in cn=config. 2. Changed sizelimit to -1 in cn=config. . . . 11. ACI for dc=test1,dc=mpklab,dc=sfbay,dc=sun,dc=com modified to disable self modify. . . . 15. Give cn=admin,ou=profile,dc=west,dc=example,dc=com write permission for shadow. ...