I was thinking along the same lines: * is pam_password exop in your /etc/ldap.conf? * And passwd entry for nsswitch contains ldap? * Ditto for /etc/pam.d/system-auth-ac?
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: Konstantin Boyandin temmokan@gmail.com Cc: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Thu Jan 13 00:22:50 2011 Subject: Re: LDAP and PAM: account is expired, but pam_ldap allows authentification
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 13/01/2011, at 17:45, Konstantin Boyandin wrote:
Hello,
Could someone direct me to the source of wisdom to solve this: I have set correctly the fields (attributes)
shadowExpire shadowLastChange shadowMin shadowMax
to make the account expired (OpenLDAP used to run NT domain), but when I ssh to a server using pam_ldap authentication, it is still allowed to login.
How pam_ldap should be instructed to take the expiration attributes ito account?
Isnt this handled via nsswitch? Can you show us your /etc/nsswitch.conf, and your /etc/ldap.conf (not your /etc/openldap/ldap.conf
Thanks. Sincerely, Konstantin
William Brown
pgp.mit.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.