>Are you really sure ? I don't know PAM on solaris, but if you only >allow imap, sieve and possibly pop3 in e.g. /etc/pam.d/ user can't get >an interactive account.
On Solaris with LDAP NSS, the LDAP accounts must have ObjectClass: posixAccount ObjectCLass: shadowAccount and therefore UID/GID/Homedir/Shell set. But one can set the shell to /bin/false to disable login. On Systems with NSS based on OpenLDAP one can set in /etc/ldap.conf pam_filter objectclass=account or whatever and don't need posixAccount/shadowAccount object classes. Regards, Bernd --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
