I am trying to set up LDAP authentication for CentOS workstations, but can't get it to authenticate properly. Authentication fails saying the account has expired when I know for certain that it has not (e.g. ldapsearch authenticated with the appropriate uid and password returns shadowLastChange 14816 and shadowMax 99999). The last time I did this seriously for authentication was using Apple iMacs authentication against a SuSE Linux machine so it's entirely possible I'm not doing the right thing today. Most of the sites where we're using ldap and nss are not authentication, but simply going to user's $HOME directories to deliver e-mail to Maildir stores which doesn't require authentication. FWIW, I just checked an old SLES9 system authenticating against another SuSE system by telnet'ing to its POP3 server and that works as expected so it's something different in the way SuSE's PAM and CentOS' works (using MD5 passwords). I have done a fair amount of google/RTFM as well as reading the pam documentation on the CentOS client machine, and don't find anything that helps me figure out is causing it to think the account has expired. The LDAP attributes that I think are relevant on a test account are below. I don't see anything here that looks hinky, but then I am fairly ignorant on PAM authentication. shadowExpire 0 shadowFlag 0 shadowInactive 0 shadowLastChange 14816 shadowMax 99999 shadowMin 0 shadowWarning 7 Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 "I ask, sir, what is the militia? It is the whole people. To disarm the people is the best and most effectual way to enslave them."-- George Mason