[CentOS] OpenLDAP authentication, account expired when it's not.

Mon Jul 26 22:44:48 UTC 2010
Bill Campbell <centos at celestial.com>

I am trying to set up LDAP authentication for CentOS workstations, but
can't get it to authenticate properly.  Authentication fails saying the
account has expired when I know for certain that it has not (e.g.
ldapsearch authenticated with the appropriate uid and password returns
shadowLastChange 14816 and shadowMax 99999).

The last time I did this seriously for authentication was using Apple iMacs
authentication against a SuSE Linux machine so it's entirely possible I'm
not doing the right thing today.  Most of the sites where we're using ldap
and nss are not authentication, but simply going to user's $HOME
directories to deliver e-mail to Maildir stores which doesn't require
authentication.  FWIW, I just checked an old SLES9 system authenticating
against another SuSE system by telnet'ing to its POP3 server and that works
as expected so it's something different in the way SuSE's PAM and CentOS'
works (using MD5 passwords).

I have done a fair amount of google/RTFM as well as reading the pam
documentation on the CentOS client machine, and don't find anything that
helps me figure out is causing it to think the account has expired.

The LDAP attributes that I think are relevant on a test account are below.
I don't see anything here that looks hinky, but then I am fairly ignorant
on PAM authentication.

shadowExpire 0
shadowFlag 0
shadowInactive 0
shadowLastChange 14816
shadowMax 99999
shadowMin 0
shadowWarning 7

INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

"I ask, sir, what is the militia? It is the whole people. To disarm the
people is the best and most effectual way to enslave them."-- George Mason