With pam_krb5 performing account and password management, the Kerberos environment manages all of the account, password, account lockout, and other account management details.
If you do not use pam_krb5, then configure the LDAP naming service to take advantage of the password and account lockout policy support in OUD. You can configure pam_ldap to support user account management. With the proper PAM configuration, the passwd command enforces password syntax rules set by the OUD password policy. However, do not enable account management for proxy accounts.
The following account management features are supported by pam_ldap. These features depend on the OUD password and account lockout policy configuration. You can enable the following account management features:
Password aging and expiration notification – Users must change their passwords according to a schedule. Otherwise, the password expires and user authentication fails.
Users are warned whenever they log in within the expiration warning period. The warning includes the remaining time before password expiration.
Password syntax checking – New passwords must meet the minimum password length requirements. A password must not match the value of the uid, cn, sn, or mail attributes in the user’s directory entry.
Password history checking – Users cannot reuse passwords. LDAP administrators can configure the number of passwords kept in the server’s history list.
User account lockout - A user account can be locked out after a specified number of repeated authentication failures. Users can also be locked out if their accounts are inactivated by an administrator. Authentication failure continues until the account lockout time is passed or the administrator reactivates the account.
These account management features work only with the OUD. For information about configuring the password and account lockout policy on the LDAP server, see Directory Server Password Policy in Oracle® Fusion Middleware Administering Oracle Unified Directory.
Before configuring the password and account lockout policy on the OUD, make sure all hosts use the most recent version of the LDAP client with pam_ldap account management. Additionally, make sure the clients have a properly configured pam.conf file. Otherwise, the LDAP naming service fails when proxy or user passwords expire.
The LDAP naming service supports the full functionality of the passwd command and the pam_unix_* modules in the files naming service. If the enableShadowUpdate switch is enabled, account management functionality becomes available to both local accounts and LDAP accounts. The functionality includes password aging, account expiry and notification, and failed login account locking. Also, LDAP supports the –dluNfnwx options of the passwd command. The enableShadowUpdate switch enables the implementation of consistent account management for users who are defined in both the files and the LDAP scope.
The pam_ldap and the pam_unix_* modules are incompatible. The pam_ldap module requires that passwords be modifiable by users, but the pam_unix_* modules do not allow the users to modify passwords. Therefore, you cannot use the two modules together in the same LDAP naming domain. Either all clients use the pam_ldap module or all clients use the pam_unix_* modules. As a consequence of this limitation, you might need to use a dedicated LDAP server in cases where a web or email application, for example, might require users to change their own passwords on the LDAP server.
Implementing enableShadowUpdate also requires that the administrator credential (adminDN and adminPassword) is stored locally on every client in the svc:/network/ldap/client service.
Do not change the /etc/pam.conf file to use the pam_unix_* modules for account management. The default /etc/pam.conf file is sufficient.