Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)
Previous Next

pam_ldap Changes

The Solaris 10 OS release introduced several changes to pam_ldap, identified in the following list. See the pam_ldap(5) man page for more information.

  • The previously supported use_first_pass and try_first_pass options are obsolete as of the Solaris 10 software release. These options are no longer needed, may safely be removed from pam.conf, and are silently ignored. They may be removed in a future release.

  • Password prompting must be provided for by stacking pam_authtok_get before pam_ldap in the authentication and password module stacks, and by including pam_passwd_auth in the passwd service auth stack.

  • The previously supported password update function is replaced in this release by the previously recommended use of pam_authtok_store with the server_policy option.

  • The pam_ldap account management feature strengthens the overall security of the LDAP Naming Service. Specifically, the account management feature does the following.

    • Allows for tracking password aging and expiration

    • Prevents users from choosing trivial or previously used passwords

    • Warns users if their passwords are about to expire

    • Locks out users after repeated login failures

    • Prevents users, other than the authorized system administrator, from deactivating initialized accounts

It is not possible to provide a clean automated update for the changes listed above. Therefore, an upgrade to a Solaris 10 or later release will not automatically update the existing pam.conf file to reflect the pam_ldap changes. If the existing pam.conf file contains a pam_ldap configuration, you will be notified after the upgrade via the CLEANUP file. You will need to examine the pam.conf file and modify it, as needed.

See pam_passwd_auth(5), pam_authtok_get(5), pam_authtok_store(5), and pam.conf(4) man pages for more information.

Previous Next

  Published under the terms fo the Public Documentation License Version 1.01. Design by Interspire