RE: Password Mgmt

From: Darren Moffat (Darren.Moffat@Sun.COM)
Date: 06/13/02


Date: Wed, 12 Jun 2002 15:47:16 -0700 (PDT)
From: Darren Moffat <Darren.Moffat@Sun.COM>
To: focus-sun@securityfocus.com, VIvanov@tee.toshiba.de


>> Attached is a document that desribes what each of the fields
>> in shadow(4)
>> provide in terms of policy.
>
>it is mentioned, that such fucntionality could be provided via NIS+ or local
shadow file.
>so, it seems to me, this is not possibkle via NIS (as there are no
appropriate fields in passwd table),
>but what is about LDAP?

Correct NIS has no shadow table so it can't do it. In theory you could
do this two different ways with LDAP and it depends on which style of
authentication you are doing.

If you are doing unix authentication (using pam_unix*) then LDAP provides
the same nameservice functionality as NIS in this area.

If you are doing LDAP authentication (using pam_ldap) then the server
that statisfies the LDAP simple bind can do password aging. It is possible
that the policy for this would be held in the users directory entry.

Note that this does not reflect the functionality of any currently
shipping Sun product.

--
Darren J Moffat



Relevant Pages

  • Re: PAM & LDAP - Pointer anyone?
    ... We tried PAM LDAP and ditched it. ... If you are worried about security, I would not recommend running NIS. ... instead by the FreeBSD ypbind and ypldapd. ... can be tightened so as to ensure password authentication only ever happens ...
    (FreeBSD-Security)
  • Summary: NIS+ and LDAP - Single sign on
    ... The overwhelming response was that NIS+ is proprietary and that Sun will not ... The majority of the responses indicate that LDAP is the way to go. ... I mainly need this for authentication (login ... Everybody is going LDAP these days: Sun, ...
    (SunManagers)
  • LDAP authentication failure
    ... I'm trying to migrate my user's authentication from NIS to LDAP. ... On my server, I think I have everything set up okay. ...
    (RedHat)
  • Re: Idiots intro to LDAP - Where?
    ... But, for the life of me, I can't understand LDAP or why it's ... windows and they can be reasonably expected to be built into windows ... use the same authentication mechanisms. ... While you could do that with nis+, nobody really used nis+ as it was a ...
    (comp.os.linux.misc)
  • Re: Idiots intro to LDAP - Where?
    ... But, for the life of me, I can't understand LDAP or why it's ... windows and they can be reasonably expected to be built into windows ... use the same authentication mechanisms. ... While you could do that with nis+, nobody really used nis+ as it was a ...
    (comp.os.linux)