I was thinking along the same lines: * is pam_password exop in your /etc/ldap.conf? * And passwd entry for nsswitch contains ldap? * Ditto for /etc/pam.d/system-auth-ac?
- chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jac...@apollogrp.edu ----- Original Message ----- From: openldap-technical-boun...@openldap.org <openldap-technical-boun...@openldap.org> To: Konstantin Boyandin <temmo...@gmail.com> Cc: openldap-technical@openldap.org <openldap-technical@openldap.org> Sent: Thu Jan 13 00:22:50 2011 Subject: Re: LDAP and PAM: account is expired, but pam_ldap allows authentification -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13/01/2011, at 17:45, Konstantin Boyandin wrote: > Hello, > > Could someone direct me to the source of wisdom to solve this: I have > set correctly the fields (attributes) > > shadowExpire > shadowLastChange > shadowMin > shadowMax > > to make the account expired (OpenLDAP used to run NT domain), but when I > ssh to a server using pam_ldap authentication, it is still allowed to login. > > How pam_ldap should be instructed to take the expiration attributes ito > account? Isnt this handled via nsswitch? Can you show us your /etc/nsswitch.conf, and your /etc/ldap.conf (not your /etc/openldap/ldap.conf > > Thanks. > Sincerely, > Konstantin William Brown pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQIcBAEBAgAGBQJNLqhNAAoJEHF16AnLoz6JhHEP/24fLtJqjB6dHzOezQMpy3jc uF3hN4YMyBHtD1kn8A6EVfu0LZopyL7HrQpgev9SsBeB+2KcB4htf6p7j8cMbVeX 9fZ0yMnt/+PadWHoseQGtd9hdtr/j5PCSQxPer8Uh1msR12OSu66A+22KXHtl0DN rTXelPCo99zK2tiwsRRV1cmFJ08FO7Dc3b5nhsPvKXdJIo4cpk3dnbl2ruSC+zCG xjawl0F814Aw3fZ7Wfg0k/vheSZlcpDouIW/M14FMLuHeTWYRDnPoT2NisKZAqOr /MRHINDlYNILHwEPLxVwLhXt7cpmwcMp4OJnFDcnqylZBVrrZcmUJXLXvzb6BCUK p0QWusLfElsKpIqiliFXdQO4xblt0kxmad31o09SFPltqGxiIe8L14PdT9rnnips WEgN7L8cwBm258DbUAPtHnpi438ZEV2hqYA1TkW/Um/9sU5VYB8m8FPNCJ07inA5 Rv+E2RqjGjvXlkPCoaRS+Kl9+RKTHa5fmUZPorZTbDTQIwzc4Zotzj1ovhzaT3h8 xbK1BqOyNrE0PWSG94Lu9Oc1Ls42XWzaCthIZeGsMeQLQvzCk+mTGLULR7nQmxo0 QvL2Kf419uCTfM2GyjDFCXMEeECFPMJM0Pg5j8+Ztk9nIYEsKAQmTDy3BKcI6Nm5 tsNJqnso2wkZeB+vUXzz =h/we -----END PGP SIGNATURE----- This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.