I should add that I use pam_krb5 module already, so in that case 'lock_after_retries' should be implemented within KDC or on the LDAP level?
On Tue, Jul 6, 2010 at 3:37 PM, Darren J Moffat <[email protected]> wrote: > On 06/07/2010 14:13, Piotr Jasiukajtis wrote: >> >> How can I use account locking (lock_after_retries=yes) using LDAP >> naming service instead of passwd/shadow? > > You can't, in the user_attr(4) man page it clearly says: > > lock_after_retries > > Specifies whether an account is locked after the > count of failed logins for a user equals or exceeds > the allowed number of retries as defined by RETRIES > in /etc/default/login. Possible values are yes or > no. The default is no. Account locking is applicable > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > only to local accounts. > ^^^^^^^^^^^^^^^^^^^^^^^ > > For LDAP this type of functionality is the responsibility the LDAP directory > server, and means that you should use pam_ldap rather than pam_unix_auth on > the OpenSolaris client. > > Making things like lock_after_retries, and password history work when using > pam_unix_auth is difficult and would likely require a secure connection to a > daemon running on the LDAP server anyway so that it can securely update the > database to indicate the account is locked (something like what > rpc.nispasswdd did for NIS+). > > -- > Darren J Moffat > -- Piotr Jasiukajtis | estibi | SCA OS0072 http://estseg.blogspot.com _______________________________________________ security-discuss mailing list [email protected]
