Hello All,
I have Sun DSEE7 (11g) on Solaris 10.
I have run idsconfig and initialized ldap client with profile created using idsconfig.
My ldap authentication works. Here is my pam.conf
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
login auth required pam_dial_auth.so.1
simiiar for rlogin krlogin rsh other auth.
My requirement is if a new user created in LDAP logs in to soalris, system should prompt reset password. My LDAP password policy set the attribute- force reset on initial logon.
A user who already logged must be able to login even if LDAP server is down.
help is appreciated.
Thanks,
I thought new users were given an expired password date, and that is why they have to change their pw, part of a security model that protects the admin, as the password the admin gives out is not usable except to set a new one.
Then you are going to have support local authentication as well as LDAP authentication. A better approach would be to have a secondary/slave LDAP server.
I was successful in having user to force password reset. I had to two things
-
Update the LDAP global password policy with two flags
a)force password reset after initial logon
b)force password reset after admin resets the password.
-
Had to add the some lines in /etc/pam.conf for account section
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
We are going to have high availability and slave servers for sure.
Consider some body using a laptop when they are not connected to the network. They should be able to logon.
Thanks,