Pam unix with LDAP server account lockout
From Brandonhutchinson.com
(Difference between revisions)
(→The Directory Server must only store passwords in ''{crypt}'' format) |
|||
| Line 5: | Line 5: | ||
* The Directory Server must only store user passwords in ''{crypt}'' format. | * The Directory Server must only store user passwords in ''{crypt}'' format. | ||
| - | + | * User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts. | |
| - | + | Run the following commands on both Directory Servers: | |
| - | + | # '''dsconf set-server-prop pwd-lockout-enabled:on''' | |
| + | # '''dsconf set-server-prop pwd-max-failure-count:3''' | ||
| + | # '''dsconf set-server-prop pwd-lockout-duration:disabled''' | ||
| + | * The Directory Server must only store user passwords in ''crypt'' format. | ||
The default user password storage scheme is ''SSHA''. To change it to ''crypt'', run the following command on both Directory Servers: | The default user password storage scheme is ''SSHA''. To change it to ''crypt'', run the following command on both Directory Servers: | ||
# '''dsconf set-server-prop pwd-storage-scheme:crypt''' | # '''dsconf set-server-prop pwd-storage-scheme:crypt''' | ||
| + | |||
| + | |||
| + | == Requirements == | ||
| + | |||
| + | === The Directory Server must only store passwords in ''crypt'' format === | ||
Revision as of 22:26, 14 December 2007
Overview
In order to support a legacy application, I have to meet the following requirements:
- pam_unix must be used.
- The Directory Server must only store user passwords in {crypt} format.
- User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
Run the following commands on both Directory Servers:
# dsconf set-server-prop pwd-lockout-enabled:on # dsconf set-server-prop pwd-max-failure-count:3 # dsconf set-server-prop pwd-lockout-duration:disabled
- The Directory Server must only store user passwords in crypt format.
The default user password storage scheme is SSHA. To change it to crypt, run the following command on both Directory Servers:
# dsconf set-server-prop pwd-storage-scheme:crypt
