[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and PAM: account is expired, but pam_ldap allows authentification



Indexer wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 13/01/2011, at 17:45, Konstantin Boyandin wrote:

Hello,

Could someone direct me to the source of wisdom to solve this: I have
set correctly the fields (attributes)

shadowExpire
shadowLastChange
shadowMin
shadowMax

to make the account expired (OpenLDAP used to run NT domain), but when I
ssh to a server using pam_ldap authentication, it is still allowed to login.

How pam_ldap should be instructed to take the expiration attributes ito
account?

Isnt this handled via nsswitch? Can you show us your /etc/nsswitch.conf, and your /etc/ldap.conf (not your /etc/openldap/ldap.conf

As a reminder - the OpenLDAP-technical list is for the discussion of actual OpenLDAP software, as well as how to make other software interoperate with it. Questions that are purely about how to use 3rd party software "foo" work at all do not belong on this list.

There is no evidence that the original poster is having any trouble using OpenLDAP. His question is entirely about making 3rd party software work, and those questions belong on the support forums for those 3rd party software packages.
--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/