Buchan,
Have you set 'pam_lookup_policy yes' in pam_ldap's ldap.conf?
Yes.
# cat /usr/local/etc/ldap.conf | grep pam_lookup pam_lookup_policy yes
Are you using pam_ldap in the "account" lines of your PAM configuration?
Yes (if you refer to sshd, which is the service that I use with PAM to make the request in LDAP cluster).
# cat /etc/pam.d/sshd | grep account # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so
In http://www.nabble.com/Re:-Password-expiry-warning-message-from-ppolicy-td807... , Prakash Velayutham says:
"Wanted to give a heads up. I have found a solution to this one and it was not pam_ldap. It was the OpenSSH on my system. I was running OpenSSH 4.1p1 and looks like this issue was fixed in 4.3p2 and higher. I got the latest 4.5p2 and things are working now. I will test some more and report back again soon. "
Effectively, I use FreeBSD 7.0 which is shipped with OpenSSH 4.5p1; but I've upgrade teh OpenSSH to 5.2p1 and I cannot see the warning messages yet.