If the /etc/pam.conf file is unconfigured, UNIX authentication is enabled by default.
The following modules provide the equivalent functionality as the original pam_unix module. The modules are listed by using their corresponding man pages.
The pam_unix_* modules follow the traditional model of UNIX authentication:
The client retrieves the user's encrypted password from the name service.
The user is prompted for the user's password.
The user's password is encrypted.
The client compares the two encrypted passwords to determine whether the user should be authenticated.
The pam_unix_* modules have the following restrictions:
The password must be stored in UNIX crypt format.
The userPassword attribute must be readable by the name service.
For example, if you set the credential level to anonymous, then anyone must be able to read the userPassword attribute. Similarly, if you set the credential level to proxy, then the proxy user must be able to read the userPassword attribute.
The pam_unix_account module supports account management when the enableShadowUpdate switch is set to true. The controls for a remote LDAP user account are applied in the same manner that controls are applied to a local user account that is defined in the passwd and shadow files. For the LDAP account in enableShadowUpdate mode, the system updates and uses the shadow data on the LDAP server for password aging and account locking. The shadow data of the local account only applies to the local client system, while the shadow data of an LDAP user account applies to the user on all client systems.
Password history checking is only supported for the local client, and not for an LDAP user account.