Password policy for Solaris 10 ldap client, with openldap server (not DS).
807573Aug 26 2008 — edited Apr 6 2009How can I configure my ldap db to implement a password policy for a Solaris 10 nssldap client system?
I thought the nis.schema attribute 'shadowMax' would be the way to go, but it seems this is ignored by the Solaris client configuration I have in place and I couldn't spot an equivalent in the solaris.schema file.
How does the DS do this? By means of a separate object class with pw policy attributes?
I'm mainly interested in password complexity checks (can also be done through pam I suppose) and password expiration policy settings.
Current ldap structure:
# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: domain
objectClass: nisDomainObject
objectClass: dcObject
nisDomain: example.com
o: Example Companies
dc: example
# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn:: TWFuYWdlciA=
# group, example.com
dn: ou=group,dc=example,dc=com
objectClass: organizationalUnit
ou: group
# profile, example.com
dn: ou=profile,dc=example,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit
# proxyagent, profile, example.com
dn: cn=proxyagent,ou=profile,dc=example,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
# sol8profile, profile, example.com
dn: cn=sol8profile,ou=profile,dc=example,dc=com
objectClass: top
objectClass: SolarisNamingProfile
SolarisLDAPServers: 192.168.1.168
SolarisBindDN: cn=proxyagent,ou=profile,dc=example,dc=com
SolarisBindPassword: secret
SolarisSearchBaseDN: dc=example,dc=com
SolarisAuthMethod: NS_LDAP_AUTH_NONE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: sol8profile
# sol9profile, profile, example.com
dn: cn=sol9profile,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: sol9profile
credentialLevel: proxy
bindTimeLimit: 2
# default, profile, example.com
dn: cn=default,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: default
credentialLevel: proxy
bindTimeLimit: 2
# tls_profile, profile, example.com
dn: cn=tls_profile,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com
serviceSearchDescriptor: group: ou=group,dc=example,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com
# users, group, example.com
dn: cn=users,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 100
dn: uid=texp,ou=People,dc=example,dc=com
uid: texp
sn: User Expired password
cn: Test User Expired password
uidNumber: 1017
gidNumber: 100
shadowMax: 1
shadowFlag: 0
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /tmp
gecos: Test User Expired password
shadowLastChange: 14120