shadowExpire doesn't work with pam_ldap.so
I have installed and configured LDAP server on Debian OS. All Linux
users accounts are authenticated against the LDAP server.
I use PAM module.
When I set (by usermod command) that certain account is expired,
it works fine. But when I set shadowExpired attribute in LDAP,
system doesn´t respect this setting and account is enabled all the time.
Usermod command doesn't affect LDAP attributes.
Please help!
Here is /etc/pam.d/ssh:
#%PAM-1.0
#auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_ldap.so debug
auth required pam_unix_auth.so try_first_pass audit
#auth required pam_env.so try_first_pass
account sufficient pam_ldap.so debug
account required pam_unix_acct.so shadow use_first_pass
session sufficient pam_ldap.so
session required pam_unix_session.so shadow use_first_pass
session optional pam_lastlog.so # [1]
session optional pam_motd.so # [1]
#session optional pam_mail.so standard noenv try_first_pass
session required pam_limits.so
password required pam_cracklib.so retry=3 minlen=6 difok=3
password sufficient pam_ldap.so
#password required pam_unix.so try_first_pass
password required pam_unix.so use_authok
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
#
# password required pam_cracklib.so retry=3 minlen=6 difok=3
# password required pam_unix.so use_authtok nullok md5
Here is part of slapd.conf file:
access to *
by anonymous read
by self write
by dn="cn=admin,o=ou" write
by dn="uid=root,ou=People,o=ou" write
by * read
---------------------------------------
Roman Vareka
Reply to: