Naming and Directory Services (DNS, NIS, and LDAP)

pam_ldap ChangesThe Solaris 10 OS release introduced several changes to pam_ldap, identified in thefollowing list. Also, see the pam_ldap(5) man page for more information.■■■The previously supported use_first_pass and try_first_pass options areobsolete as of the Solaris 10 software release. These options are no longer needed,may safely be removed from pam.conf, and are silently ignored. They may beremoved in a future release.Password prompting must be provided for by stacking pam_authtok_get beforepam_ldap in the authentication and password module stacks, and by includingpam_passwd_auth in the passwd service auth stack.The previously supported password update function is replaced in this release bythe previously recommended use of pam_authtok_store with theserver_policy option.An upgrade to this release will not automatically update the existing pam.conf file toreflect the above changes. If the existing pam.conf file contains a pam_ldapconfiguration, you will be notified after the upgrade via the CLEANUP file. You willneed to examine the pam.conf file and modify it, as needed.It is not possible to provide a clean automatic update for the changes listed above,primarily password prompting and password update, due to the relevance of othermodules used in the same stack and also due to the existence of third party modules.See pam_passwd_auth(5), pam_authtok_get(5), pam_authtok_store(5), andpam.conf(4) man pages for more information.LDAP CommandsThere are two sets of LDAP-related commands in the Solaris system. One set is thegeneral LDAP tools, which do not require the client to be configured with LDAPnaming services. The second set uses the common LDAP configuration on the clientand therefore can only be used if the client is configured to use LDAP as its namingservice.198 System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) • January 2005