Ask a Question related to Sun Solaris, Design and Development.
-
Oscar del Rio #1
LDAP password management (aging)
I was reading the LDAP docs for Solaris 9 and found that "password
management" (password aging, expiration, even account lockout on bad
logins) was introduced in Solaris 9 12/02.
Does anyone know if these features of pam_ldap have been or are going
to be ported to earlier releases, perhaps as patches?
We are planning to move user account management to LDAP and password
aging is one of our requirements.
I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
restricted so I could not read the patch description.
If this patch introduced password management, any plans to make it
public? Otherwise I guess we can only get it with a Maintenance
Update or service contract.
Perhaps someone can convince Sun to make the patch public since
password aging can be associated with security? (I know some think
password aging is a bad idea because it encourages users to write them
down, etc, but in some cases it is a good thing).
Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
aging and it is a free patch.
Anyway, in a related note I find it interesting that "account lockout"
has been introduced. I know most of us believe that locking a user
account after # failed login attempts is a Very Bad Idea (TM), but
every once in a while someone asks if this can be done in Solaris
(usually by request of a PHB), and the answer has usually been (in
addition to "don't do it"), that Solaris does not support it unless
the user writes her own PAM module... I guess now we can tell them
to use pam_ldap.
[url]http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view[/url]
"The following password management features are supported through
pam_ldap(5).
[snip]
User account lockout
A user account can be locked out after a given number of repeated
authentication failures. A user can also be locked out if his account is
inactivated by an administrator. Authentication will continue to fail
until the account lockout time is passed or the administrator
reactivates the account."
Oscar del Rio Guest
-
CFMX LDAP and Password Expiration
Using CFLDAP, I can retrieve the 'pwsLastSet' information... However this looooooooooooooooong strin of number is driving me to my wit's ends... I... -
Password aging information
Hi, Please help me out in writing a shell script which can pop-up a user when he logs on / his account is about required a password change,... -
Password Aging and System Accounts
Password aging works wonderfully. However, if it's the root account, and you don't log on and change it before it expires, you can wind in a heap... -
password aging on NIS+ client
Bernd Nies wrote: Patch 108993-18 introduced new PAM libraries which replace the old pam_unix.so.1 library. NIS+ password aging does not work and... -
Greg Andrews #2 Re: LDAP password management (aging)
Oscar del Rio <delrio@mie.utoronto.ca> writes:
Solaris 9: Patch 112960-07>I was reading the LDAP docs for Solaris 9 and found that "password
>management" (password aging, expiration, even account lockout on bad
>logins) was introduced in Solaris 9 12/02.
>
>Does anyone know if these features of pam_ldap have been or are going
>to be ported to earlier releases, perhaps as patches?
>
(from 112960-03)
4357827 pam_ldap should fully support password aging
Solaris 8: Patch 108993-22
(from 108993-14)
4357827 pam_ldap should fully support password aging
-Greg
--
Do NOT reply via e-mail.
Reply in the newsgroup.
Greg Andrews Guest
-
Oscar del Rio #3 Re: LDAP password management (aging)
> > User account lockout
How can that be a Good Thing (tm)?>> > A user account can be locked out after a given number of repeated
> > authentication failures. A user can also be locked out if his account is
> > inactivated by an administrator. Authentication will continue to fail
> > until the account lockout time is passed or the administrator
> > reactivates the account."
> >
> >
> This feature is closer to what I recall as "security intrusion". The
> account login is disabled for a specific time, then it works again,
> unless an admin reactivates the account before the specific time is up.
> VMS did this. It's a really a Good Thing(tm).
What would stop anyone from writing a script that disables your account
every 5 minutes (or whatever time interval the account is reactivated)?
Oscar del Rio Guest
-
Mike Miller #4 Re: LDAP password management (aging)
In article <6scRa.10156$6a3.120577@twister.rdc-kc.rr.com>, no.s.p.a.m-
dave57@127.0.0.1 says...As long as it is termination by beheading. Someone mucking about like>
> "Oscar del Rio" <delrio@mie.utoronto.ca> wrote in message > How can that be
> a Good Thing (tm)?>> > What would stop anyone from writing a script that disables your account
> > every 5 minutes (or whatever time interval the account is reactivated)?
> What you do is go into the logs and find out who did such a thing and stop
> them either by a firewall or whatever. If it is from the inside,
> termination works well.
>
>
>
that would deserve it.
--
Mike Miller
If all else fails - READ THE INSTRUCTIONS!
or if you like
"If all else fails - THROW HARDER" Robert Smith(pro bowler)
Mike Miller Guest
-
J.T.E. #5 Re: LDAP password management (aging)
We were one of the companies that really pushed Sun to make this patch
but to be honest with you I'm not impressed by this patch.
The new patch makes Solaris 8 LDAP authentication to work exactly like
Solaris 9. There's nothing wrong with that except that all the tools I
wrote for creating profiles, proxyagents etc are not compatible with
the new structure.
Rgds,
JTE
Oscar del Rio <delrio@mie.utoronto.ca> wrote in message news:<3F131826.7060403@mie.utoronto.ca>...> I was reading the LDAP docs for Solaris 9 and found that "password
> management" (password aging, expiration, even account lockout on bad
> logins) was introduced in Solaris 9 12/02.
>
> Does anyone know if these features of pam_ldap have been or are going
> to be ported to earlier releases, perhaps as patches?
>
> We are planning to move user account management to LDAP and password
> aging is one of our requirements.
>
> I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
> restricted so I could not read the patch description.
> If this patch introduced password management, any plans to make it
> public? Otherwise I guess we can only get it with a Maintenance
> Update or service contract.
>
> Perhaps someone can convince Sun to make the patch public since
> password aging can be associated with security? (I know some think
> password aging is a bad idea because it encourages users to write them
> down, etc, but in some cases it is a good thing).
>
> Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
> aging and it is a free patch.
>
> Anyway, in a related note I find it interesting that "account lockout"
> has been introduced. I know most of us believe that locking a user
> account after # failed login attempts is a Very Bad Idea (TM), but
> every once in a while someone asks if this can be done in Solaris
> (usually by request of a PHB), and the answer has usually been (in
> addition to "don't do it"), that Solaris does not support it unless
> the user writes her own PAM module... I guess now we can tell them
> to use pam_ldap.
>
>
> [url]http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view[/url]
> "The following password management features are supported through
> pam_ldap(5).
>
> [snip]
>
> User account lockout
> A user account can be locked out after a given number of repeated
> authentication failures. A user can also be locked out if his account is
> inactivated by an administrator. Authentication will continue to fail
> until the account lockout time is passed or the administrator
> reactivates the account."J.T.E. Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
