Pam unix with LDAP server account lockout

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
Line 1: Line 1:
== Overview ==
== Overview ==
-
In order to support a legacy application, I have to meet the following requirements:
+
In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following requirements:
* ''pam_unix'' must be used.
* ''pam_unix'' must be used.
-
* The Directory Server must only store user passwords in ''{crypt}'' format.
+
* User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
 +
* The Directory Server must only store user passwords in ''crypt'' format.
 +
 
 +
== DSEE Steps ==
* User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
* User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
Line 10: Line 13:
# '''dsconf set-server-prop pwd-max-failure-count:3'''
# '''dsconf set-server-prop pwd-max-failure-count:3'''
# '''dsconf set-server-prop pwd-lockout-duration:disabled'''
# '''dsconf set-server-prop pwd-lockout-duration:disabled'''
- 
* The Directory Server must only store user passwords in ''crypt'' format.
* The Directory Server must only store user passwords in ''crypt'' format.
The default user password storage scheme is ''SSHA''. To change it to ''crypt'', run the following command on both Directory Servers:
The default user password storage scheme is ''SSHA''. To change it to ''crypt'', run the following command on both Directory Servers:
# '''dsconf set-server-prop pwd-storage-scheme:crypt'''
# '''dsconf set-server-prop pwd-storage-scheme:crypt'''
 +
== PAM Steps ==
 +
* ''pam_unix'' must be used.
 +
Make the following change in bold to the default ''/etc/pam.conf'':
 +
other auth required pam_unix_auth.so.1 '''server_policy'''
-
== Requirements ==
 
-
=== The Directory Server must only store passwords in ''crypt'' format ===
+
 
 +
 
 +
== OpenSSH Steps ==
 +
 
 +
In order to support a legacy application, I have to meet the following requirements:
 +
* ''pam_unix'' must be used.
 +
Make the following change in bold to the default ''/etc/pam.conf'':
 +
other auth required pam_unix_auth.so.1 '''server_policy'''

Revision as of 22:33, 14 December 2007

Contents

Overview

In this example, I have a Solaris 8 LDAP client and two Solaris 10 DSEE 6.2 servers configured with multimaster replication. In order to support a legacy application, I have to meet the following requirements:

  • pam_unix must be used.
  • User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.
  • The Directory Server must only store user passwords in crypt format.

DSEE Steps

  • User accounts should be locked out indefinitely (i.e., the administrator must unlock the account) after 3 unsuccessful attempts.

Run the following commands on both Directory Servers:

# dsconf set-server-prop pwd-lockout-enabled:on
# dsconf set-server-prop pwd-max-failure-count:3
# dsconf set-server-prop pwd-lockout-duration:disabled
  • The Directory Server must only store user passwords in crypt format.

The default user password storage scheme is SSHA. To change it to crypt, run the following command on both Directory Servers:

# dsconf set-server-prop pwd-storage-scheme:crypt

PAM Steps

  • pam_unix must be used.

Make the following change in bold to the default /etc/pam.conf:

other   auth required           pam_unix_auth.so.1 server_policy



OpenSSH Steps

In order to support a legacy application, I have to meet the following requirements:

  • pam_unix must be used.

Make the following change in bold to the default /etc/pam.conf:

other   auth required           pam_unix_auth.so.1 server_policy
Personal tools