If the enableShadowUpdate switch is enabled, account management functionality becomes available to both local accounts and LDAP accounts. The functionality includes password aging, account expiry and notification, failed login account locking, and so on. Also, the –dluNfnwx options of the passwd command are now supported in LDAP. Thus, the full functionality of the passwd command and the pam_unix_* modules in the files naming service is supported in the LDAP naming service. The enableShadowUpdate switch enables the implementation of consistent account management for users who are defined in both the files and the LDAP scope.
The pam_ldap and the pam_unix_* modules are incompatible. The pam_ldap module requires that passwords be modifiable by users. The pam_unix_* modules require the opposite. Thus, you cannot use the two together in the same LDAP naming domain. Either all clients use the pam_ldap module or all clients use the pam_unix_* modules. As a consequence of this limitation, you might need to use a dedicated LDAP server in cases where a web or email application, for example, might require users to change their own passwords on the LDAP server.
Implementing enableShadowUpdate also requires that the administrator credential (adminDN plus adminPassword) be stored locally on every client, in the svc:/network/ldap/client service.
Using the pam_unix_* modules for account management does not require changing the /etc/pam.conf file. The default /etc/pam.conf file is sufficient.