pam_ldap needs a valid password for it do accounting as it binds to the server
as the user logging in. If the auth stack has pam_rhosts_auth and it succeeds
there will not be a auth-token stored in PAM. ldap accounting will fail. However
if rhosts auth fails, ldap accounting will be done properly.
What the customer wants is a way to do account checking only if a password was
typed. As it stands now there is no way to do selective account checking for
ldap or any other module. A custom account module that succeeds if rhosts
permission is present with a sufficient binding does the job. Another way to
achieve this is to make pam_ldap check accounting data by binding as the proxyagent. Currently they are using a custom module that works as described
above.
The customer wants this module to be officialy pulled into Solaris or for their
requirement to be met in some other manner.