Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Password Aging and Account Lockout do not work in a LDAP Naming Service Env

807573Aug 31 2007 — edited Oct 30 2007
I have configured LDAP to be the Naming Service. Following are the Details:
- LDAP Server has DS 5.2 P4
- LDAP Clients are Solaris 8 machines with the latest kernel and LDAP patches

Password Policy is enabled on the Directory Server Side:
dn: cn=UNIX-account PCI compliant policy,o=unix
passwordMinAge: 0
passwordLockoutDuration: 1800
passwordResetFailureCount: 300
passwordMaxFailure: 6
passwordUnlock: on
passwordLockout: on
passwordStorageScheme: crypt
passwordRootdnMayBypassModsChecks: on
passwordCheckSyntax: on
passwordExp: on
passwordExpireWithoutWarning: on
passwordChange: on
passwordMustChange: on
cn: UNIX-account PCI compliant policy
passwordWarning: 864000
passwordMinLength: 8
passwordMaxAge: 7776000
passwordInHistory: 8
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
entrydn: cn=unix-account pci compliant policy,o=unix

LDAP Client has been initialized properly and logins work fine. Following is a sample of pam.conf:
#
#ident "@(#)pam.conf 1.16 01/01/24 SMI"
#
# Copyright (c) 1996-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
# PAM configuration
#
# Authentication management
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
login auth required pam_dial_auth.so.1
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth binding pam_unix_auth.so.1 server_policy
dtlogin auth required pam_ldap.so.1
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# Account management
#
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account binding pam_unix_account.so.1 server_policy
login account required pam_ldap.so.1
#
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_projects.so.1
dtlogin account binding pam_unix_account.so.1 server_policy
dtlogin account required pam_ldap.so.1
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Session management
#
other session required pam_unix_session.so.1
#
# Password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth binding pam_unix_auth.so.1 server_policy
dtsession auth required pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#dtlogin auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#dtlogin account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
#
# Support for Solaris PPP (sppp)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
ppp auth required pam_dial_auth.so.1
ppp account requisite pam_roles.so.1
ppp account required pam_projects.so.1
ppp account binding pam_unix_account.so.1 server_policy
ppp account required pam_ldap.so.1
ppp session required pam_unix_session.so.1
passwd auth binding pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
cron account required pam_unix_account.so.1
#cron account optional pam_krb5.so.1


I am not able to get the password policy to work properly. The failures that I see are:
1. Invalid logins on the LDAPClient do not increment passwordretrycount.
2. The password policy is set so that the user is asked to reset password when he first logs in - in case his password was reset by the administrator. The user does not get this prompt.

Appreciate any suggestions/existing bug info in SUN Directory Server.

Thanks
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Nov 27 2007
Added on Aug 31 2007
#identity-management, #oracle-unified-directory-oud-oracle-directory-server-enterprise-edition-sun-dsee
4 comments
139 views