[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and PAM: account is expired, but pam_ldap allows authentification

To: Konstantin Boyandin <temmokan@gmail.com>
Subject: Re: LDAP and PAM: account is expired, but pam_ldap allows authentification
From: Indexer <indexer@internode.on.net>
Date: Thu, 13 Jan 2011 17:52:50 +1030
Cc: openldap-technical@openldap.org
In-reply-to: <4D2EA696.4020705@gmail.com>
References: <4D2EA696.4020705@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 13/01/2011, at 17:45, Konstantin Boyandin wrote:

> Hello,
> 
> Could someone direct me to the source of wisdom to solve this: I have
> set correctly the fields (attributes)
> 
> shadowExpire
> shadowLastChange
> shadowMin
> shadowMax
> 
> to make the account expired (OpenLDAP used to run NT domain), but when I
> ssh to a server using pam_ldap authentication, it is still allowed to login.
> 
> How pam_ldap should be instructed to take the expiration attributes ito
> account?

Isnt this handled via nsswitch? Can you show us your /etc/nsswitch.conf, and your /etc/ldap.conf (not your /etc/openldap/ldap.conf

> 
> Thanks.
> Sincerely,
> Konstantin

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQIcBAEBAgAGBQJNLqhNAAoJEHF16AnLoz6JhHEP/24fLtJqjB6dHzOezQMpy3jc
uF3hN4YMyBHtD1kn8A6EVfu0LZopyL7HrQpgev9SsBeB+2KcB4htf6p7j8cMbVeX
9fZ0yMnt/+PadWHoseQGtd9hdtr/j5PCSQxPer8Uh1msR12OSu66A+22KXHtl0DN
rTXelPCo99zK2tiwsRRV1cmFJ08FO7Dc3b5nhsPvKXdJIo4cpk3dnbl2ruSC+zCG
xjawl0F814Aw3fZ7Wfg0k/vheSZlcpDouIW/M14FMLuHeTWYRDnPoT2NisKZAqOr
/MRHINDlYNILHwEPLxVwLhXt7cpmwcMp4OJnFDcnqylZBVrrZcmUJXLXvzb6BCUK
p0QWusLfElsKpIqiliFXdQO4xblt0kxmad31o09SFPltqGxiIe8L14PdT9rnnips
WEgN7L8cwBm258DbUAPtHnpi438ZEV2hqYA1TkW/Um/9sU5VYB8m8FPNCJ07inA5
Rv+E2RqjGjvXlkPCoaRS+Kl9+RKTHa5fmUZPorZTbDTQIwzc4Zotzj1ovhzaT3h8
xbK1BqOyNrE0PWSG94Lu9Oc1Ls42XWzaCthIZeGsMeQLQvzCk+mTGLULR7nQmxo0
QvL2Kf419uCTfM2GyjDFCXMEeECFPMJM0Pg5j8+Ztk9nIYEsKAQmTDy3BKcI6Nm5
tsNJqnso2wkZeB+vUXzz
=h/we
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: LDAP and PAM: account is expired, but pam_ldap allows authentification
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
- Re: LDAP and PAM: account is expired, but pam_ldap allows authentification
  - From: Howard Chu <hyc@symas.com>

References:
- LDAP and PAM: account is expired, but pam_ldap allows authentification
  - From: Konstantin Boyandin <temmokan@gmail.com>

Prev by Date: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Next by Date: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Index(es):
- Chronological
- Thread