Hello, I would like to provide some users the ability to login to their Solaris account using an LDAP credential. Naming services would not be in LDAP. In other words, this could be considered a hybrid of local accounts, files/dns naming services, but adding pam_ldap at the bottom of the authentication stack. Everything has tested out fine, and there is a sample pam.conf file in the naming service documentation from Sun: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_dial_auth.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 ... other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 In testing, however, what I have found is that accounts locked (passwd -l foousr resulting in LK in /etc/shadow) work as expected. Login is denied. No password accounts (passwd -N foousr resulting in NP in /etc/shadow) do not work as I thought they would. They are still allowed to login if they supply the correct LDAP credential. Many thanks for any feedback.