pam_unix now supports shadow entries in ldap, allowing local control
using ldap as
a repository. See 6715171, long since put back.
On 07/06/10 06:37, Darren J Moffat wrote:
On 06/07/2010 14:13, Piotr Jasiukajtis wrote:
How can I use account locking (lock_after_retries=yes) using LDAP
naming service instead of passwd/shadow?
You can't, in the user_attr(4) man page it clearly says:
lock_after_retries
Specifies whether an account is locked after the
count of failed logins for a user equals or exceeds
the allowed number of retries as defined by RETRIES
in /etc/default/login. Possible values are yes or
no. The default is no. Account locking is applicable
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
only to local accounts.
^^^^^^^^^^^^^^^^^^^^^^^
For LDAP this type of functionality is the responsibility the LDAP
directory server, and means that you should use pam_ldap rather than
pam_unix_auth on the OpenSolaris client.
Making things like lock_after_retries, and password history work when
using pam_unix_auth is difficult and would likely require a secure
connection to a daemon running on the LDAP server anyway so that it
can securely update the database to indicate the account is locked
(something like what rpc.nispasswdd did for NIS+).
_______________________________________________
security-discuss mailing list
[email protected]
