LDAP and PAM: account is expired, but pam_ldap allows authentification

Hello, Could someone direct me to the source of wisdom to solve this: I have set correctly the fields (attributes) shadowExpire shadowLastChange shadowMin shadowMax to make the account expired (OpenLDAP used to run NT domain), but when I ssh to a server using pam_ldap authentication, it is still allowed to login. How pam_ldap should be instructed to take the expiration attributes ito account? Thanks. Sincerely, Konstantin