With pam_krb5 performing account and password management, the Kerberos environment manages all of the account, password, account lockout, and other account management details.
If you do not use pam_krb5, then LDAP naming service can be configured to take advantage of the password and account lockout policy support in Oracle Directory Server Enterprise Edition. You can configure pam_ldap to support user account management. With the proper PAM configuration, the passwd command enforces password syntax rules set by the Oracle Directory Server Enterprise Edition password policy. However, do not enable account management for proxy accounts.
The following account management features are supported by pam_ldap. These features depend on Oracle Directory Server Enterprise Edition's password and account lockout policy configuration. You can enable any number of these features.
Password aging and expiration notification - Users must change their passwords according to a schedule. Otherwise, the password expires and user authentication fails.
Users are warned whenever they log in within the expiration warning period. The warning includes the remaining time before password expiration.
Password syntax checking - New passwords must meet the minimum password length requirements. A password must not match the value of the uid, cn, sn, or mail attributes in the user's directory entry.
Password in history checking - Users cannot reuse passwords. LDAP administrators can configure the number of passwords kept in the server's history list.
User account lockout - A user account can be locked out after a specified number of repeated authentication failures. A user can also be locked out if his account is inactivated by an administrator. Authentication failure continues until the account lockout time is passed or the administrator reactivates the account.
Before configuring the password and account lockout policy on Oracle Directory Server Enterprise Edition, make sure all hosts use the most recent version of the LDAP client with pam_ldap account management. Additionally, make sure the clients have a properly configured pam.conf file. Otherwise, the LDAP naming service fails when proxy or user passwords expire.