Doug, did you not see my reply? Perhaps you're not using sssd but the sssd_ldap filter works for me.

-Mike

> From: dkoleary@olearycomputers.com
> Subject: Re: Antw: open(ldap|ssh) interaction
> Date: Tue, 11 Mar 2014 09:05:28 -0500
> To: Ulrich.Windl@rz.uni-regensburg.de
> CC: openldap-technical@openldap.org
>
> Hey;
>
> Thanks for the reply.
>
> > I'm not sure about OpenLDAP, but on HP-UX there was a problem if a local user authenticated with SSH keys only: If the password (that was never used) expired, ssh key login was denied. The user had to change his password (using non-key login).
>
> That's not a problem - that's the way it's supposed to work. An account shouldn't be able to circumvent password expiration requirements simply because its primary access method is ssh keys. There are any number of bad things that can happen as a result of that ability. I can think of three right off the top of my head. Short version: if an account has a password, it needs to change regularly.
>
> I'm figuring it's a pam configuration as well; however, since it's related to ldap authentication, I'm hoping others in this group might have seen and fixed the problem. I already have questions opened w/the OS vendor.
>
> Thanks again for your reply.
>
> Doug O'Leary
> -------------------
> Senior UNIX/Security Admin
> CISSP, CISA, RHCSA, CEH
> O'Leary Computers Inc
> dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749
> linkedin: http://www.linkedin.com/in/dkoleary
> resume: http://www.olearycomputers.com/resume.html
>