ldap user authentication, PAM and chsh (change shell): how to make it work?

Hi, Please, bear with me! I know that this is not an openldap question per se, but I've been banging my head on the wall for a long time on this issue and maybe someone knows the quick answer: with user authentication coming from LDAP, what is the magic that has to inserted with the PAM stuff on a client to allow users to change their login shells using 'chsh'? I've been googling this for hours to no avail. I nice hint would just suffice. I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients. I managed to make the 'passwd' command to work using the libnss-ldap configuration 'pam_password exop' directive but I'm clueless with chsh... Right now I'm getting messages chsh: user 'luser' does not exist in /etc/passwd and the system auth logs tells me: chsh[4638]: pam_unix(chsh:auth): authentication failure; logname=luser uid=1137 euid=0 tty= ruser= rhost= user=luser /etc/pam.d/chsh originally contained, once the @include included: auth required pam_shells.so auth sufficient pam_rootok.so auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_ldap.so session optional pam_systemd.so I tried to trim it down -- removing the account and session entries but to no avail so far... thanks, jf