Naming and Directory Services (DNS, NIS, and LDAP)

DNS BINDBIND 8.4.2 ships in the Solaris 10 release. This version of BIND provides a completeDNS client-server solution for IPv6 networks on Solaris software. There are nochanges to the DNS BIND procedures in this guide.BIND 9 is also supported in the Solaris 10 release and installs in the /usr/sfwdirectory. A migration document is available in the /usr/sfw/doc/bind directory. Theinformation and procedures in Part II apply to BIND 9, except as indicated in themigration document.pam_ldap ChangesThe Solaris 10 OS release introduced several changes to pam_ldap, identified in thefollowing list. See the pam_ldap(5) man page for more information.■■■■The previously supported use_first_pass and try_first_pass options areobsolete as of the Solaris 10 software release. These options are no longer needed,may safely be removed from pam.conf, and are silently ignored. They may beremoved in a future release.Password prompting must be provided for by stacking pam_authtok_get beforepam_ldap in the authentication and password module stacks, and by includingpam_passwd_auth in the passwd service auth stack.The previously supported password update function is replaced in this release bythe previously recommended use of pam_authtok_store with theserver_policy option.The pam_ldap account management feature strengthens the overall security of theLDAP Naming Service. Specifically, the account management feature does thefollowing.■■■■■Allows for tracking password aging and expiratioPrevents users from choosing trivial or previously used passwordsWarns users if their passwords are about to expireLocks out users after repeated login failuresPrevents users, other than the authorized system administrator, fromdeactivating initialized accounts294 System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) • January 2005