CentOS - Jul 2010 - OpenLDAP authentication, account expired when it's not.

I am trying to set up LDAP authentication for CentOS workstations, but
can't get it to authenticate properly.  Authentication fails saying the
account has expired when I know for certain that it has not (e.g.
ldapsearch authenticated with the appropriate uid and password returns
shadowLastChange 14816 and shadowMax 99999).

The last time I did this seriously for authentication was using Apple iMacs
authentication against a SuSE Linux machine so it's entirely possible
I'm
not doing the right thing today.  Most of the sites where we're using ldap
and nss are not authentication, but simply going to user's $HOME
directories to deliver e-mail to Maildir stores which doesn't require
authentication.  FWIW, I just checked an old SLES9 system authenticating
against another SuSE system by telnet'ing to its POP3 server and that works
as expected so it's something different in the way SuSE's PAM and
CentOS'
works (using MD5 passwords).

I have done a fair amount of google/RTFM as well as reading the pam
documentation on the CentOS client machine, and don't find anything that
helps me figure out is causing it to think the account has expired.

The LDAP attributes that I think are relevant on a test account are below.
I don't see anything here that looks hinky, but then I am fairly ignorant
on PAM authentication.

shadowExpire 0
shadowFlag 0
shadowInactive 0
shadowLastChange 14816
shadowMax 99999
shadowMin 0
shadowWarning 7

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

"I ask, sir, what is the militia? It is the whole people. To disarm the
people is the best and most effectual way to enslave them."-- George Mason

On Mon, Jul 26, 2010 at 03:44:48PM -0700, Bill Campbell
wrote:
> I am trying to set up LDAP authentication for CentOS workstations, but
> can't get it to authenticate properly.  Authentication fails saying the
> account has expired when I know for certain that it has not (e.g.
> ldapsearch authenticated with the appropriate uid and password returns
> shadowLastChange 14816 and shadowMax 99999).
Well, I'm just going to spam my own page.  Give it a gander, and see if
following it from the get go works.

Note the link to the forum thread in it--it's possible, though not
proven, that CentOS (probably RH) *might* have broken ldap.

http://home.roadrunner.com/~computertaijutsu/ldap.html

All I can say is that it works for me, but--and it's probably an
important but--I haven't set it up from scratch on CentOS 5.5 yet. 


-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Anya: For a thousand years I wielded the powers of the
Wish. I brought ruin to the heads of unfaithful men. I brought forth
destruction and chaos for the pleasure of the lower beings. I was
feared and worshipped across the mortal globe. And now I'm stuck at
Sunnydale High. Mortal. Child. And I'm flunking Math.