08-04-2014
Quote:
Originally Posted by
rbatte1
You would need to ensure that whatever LDAP server you use, that the rules can be applied there too.
Exactly. You can use a local pasword verification mechanism too (in addition, respectively), but usually the ultimate verification is on the LDAP server. In most cases this means some PAM-modules one of which should deny passwords which are equal to user names.
It is also possible to get the user information via LDAP and verify the passwords via Kerberos (actually this is what "Active Directory" does). In this case you need to configure the Kerberos server with the respective rule.
I hope this helps.
bakunin
10 More Discussions You Might Find Interesting
1. UNIX and Linux Applications
Hi all of you..............
I am using openldap on ubuntu server . i want to apply password policy for user's to set password length , expire date , ......etc.
can anybody guide me to configure this. (1 Reply)
Discussion started by: jagnikam
1 Replies
2. Solaris
Hi Solaris's expert
I need to change user password on Solaris10 2 servers.
With the same password I can change it just only one.
Try to check everything but not found difference??
password pattern: abcdeFgh9Jk
server1 check all characters but server2 check only first 8 characters.Why??... (10 Replies)
Discussion started by: arm_naja
10 Replies
3. Red Hat
Today i was going through some of security guides written on linux .
Under shadow file security following points were mentioned.
1)The encrypted password stored under /etc/shadow file should have more than 14-25 characters.
2)Usernames in shadow file must satisfy to all the same rules as... (14 Replies)
Discussion started by: pinga123
14 Replies
4. Red Hat
Hi,
I am running NIS server on redhat linux 5 and I want to implement password restrictions for the yppasswd, how can I do it.Please help me.
I can implement password restriction for passwd by configuring /etc/pam.d/system-auth and setting crack_lib.so but I don't know how to implent the same... (3 Replies)
Discussion started by: ktrimu
3 Replies
5. Solaris
hi folk,
i try to setup a new password policy for our solaris box user, below are the /etc/default/passwd/, but then when i tried to create a user, it didn't ask for numeric character, and the new password also didn't ask for special characters.
# useradd testing
# passwd testing
New... (7 Replies)
Discussion started by: dehetoxic
7 Replies
6. Ubuntu
Hi linux expert,
i would like to create a script for listing all user with there password policy. It should be in the following format:
Last password change : Sep 19, 2011
Password expires : never
Password inactive : never
Account... (2 Replies)
Discussion started by: yprudent
2 Replies
7. Red Hat
Hi Experts,
i would like to know the description of the following:
Minimum: 0
Maximum: 90
Warning: 7
Inactive: -1
Last Change: Never
Password Expires: Never
Password Inactive: Never
Account Expires: Never
Does this means that... (2 Replies)
Discussion started by: yprudent
2 Replies
8. Solaris
Hello All,
I have Sun DSEE7 (11g) on Solaris 10.
I have run idsconfig and initialized ldap client with profile created using idsconfig.
My ldap authentication works. Here is my pam.conf
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login ... (3 Replies)
Discussion started by: pandu345
3 Replies
9. Ubuntu
Hello Team,
I am using Lubuntu & have DRBL remote boot setup with open Ldap authentication. Currently there is no password expire policy. I want to set Password Policy so that user's password will expire after a month & they will get prompt to change their password.
Using PAM we can do it,... (1 Reply)
Discussion started by: paragnehete
1 Replies
10. Red Hat
Hi,
I am unable to enforce password complexity policy for root user. (other users are working) on RHEL 6.2. Anything wrong with system-auth parameters? PLease help..
vi /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time... (1 Reply)
Discussion started by: suresh3566
1 Replies
LEARN ABOUT OPENDARWIN
pam_ldap
pam_ldap(8) System Manager's Manual pam_ldap(8)
NAME
pam_ldap - PAM module for LDAP-based authentication
SYNOPSIS
pam_ldap.so [...]
DESCRIPTION
This is a PAM module that uses an LDAP server to verify user access rights and credentials.
OPTIONS
use_first_pass
Specifies that the PAM module should use the first password provided in the authentication stack and not prompt the user for a pass-
word.
try_first_pass
Specifies that the PAM module should use the first password provided in the authentication stack and if that fails prompt the user
for a password.
nullok Specifying this option allows users to log in with a blank password. Normally logins without a password are denied.
ignore_unknown_user
Specifies that the PAM module should return PAM_IGNORE for users that are not present in the LDAP directory. This causes the PAM
framework to ignore this module.
ignore_authinfo_unavail
Specifies that the PAM module should return PAM_IGNORE if it cannot contact the LDAP server. This causes the PAM framework to ig-
nore this module.
no_warn
Specifies that warning messages should not be propagated to the PAM application.
use_authtok
This causes the PAM module to use the earlier provided password when changing the password. The module will not prompt the user for
a new password (it is analogous to use_first_pass).
debug This option causes the PAM module to log debugging information to syslog(3).
minimum_uid=UID
This option causes the PAM module to ignore the user if the user id is lower than the specified value. This can be used to bypass
LDAP checks for system users (e.g. by setting it to 1000).
MODULE SERVICES PROVIDED
All services are provided by this module but currently sessions changes are not implemented in the nslcd daemon.
FILES
/etc/pam.conf
the main PAM configuration file
/etc/nslcd.conf
The configuration file for the nslcd daemon (see nslcd.conf(5))
SEE ALSO
pam.conf(5), nslcd(8), nslcd.conf(5)
AUTHOR
This manual was written by Arthur de Jong <arthur@arthurdejong.org>.
Version 0.8.10 Jun 2012 pam_ldap(8)