Go to main content

Securing Systems and Attached Devices in Oracle® Solaris 11.4

Exit Print View

Updated: November 2020

How to Specify a New Password Algorithm for an LDAP Domain

When the LDAP client is properly configured, the LDAP client can use the new password algorithms. The LDAP client behaves just as an NIS client behaves.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Specify a password encryption algorithm in the /etc/security/policy.conf file on the LDAP client.

    Note -  If you are using the account-policy SMF stencil and the config/etc_default_passwd property is enabled, you must change the corresponding SMF property on every system that will use this new algorithm. For examples, see the procedures in Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.
  2. Copy the modified policy.conf file to every client system in the LDAP domain.
  3. Ensure that the client's /etc/pam.conf file does not use a pam_ldap module.

    Ensure that a comment sign (#) precedes entries that include pam_ldap.so.1. Also, do not use the server_policy option with the pam_authtok_store.so.1 module.

    The PAM entries in the client's pam.conf file enable the password to be encrypted according to the local algorithms configuration. The PAM entries also enable the password to be authenticated.

    When users in the LDAP domain change their passwords, the LDAP client consults its local algorithms configuration in the /etc/security/policy.conf file. The LDAP client system encrypts the password. Then, the client sends the encrypted password, with a {crypt} tag, to the server. The tag tells the server that the password is already encrypted. The password is then stored, as is, on the server. For authentication, the client retrieves the stored password from the server. The client then compares the stored password with the encrypted version that the client has just generated from the user's typed password.

    Note -  To take advantage of password policy controls on the LDAP server, use the server_policy option with the pam_authtok_store entries in the pam.conf file. Passwords are then encrypted on the LDAP server. For the procedure, see Chapter 4, Setting Up an Oracle Unified Directory Server or OpenLDAP Server in Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP.