On Wed, Jan 07, 2004 at 10:40:46AM -0500, Brian K. Jones wrote: > And here's my /etc/pam.d/system-auth (used by sshd, which is my primary > testing application) [snip] > account sufficient /lib/security/$ISA/pam_unix.so > account [default=bad success=ok user_unknown=ignore > service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so [snip] The groupdn check is performed as part of the account management checks implemented by pam_ldap. You've got pam_unix listed as "sufficient" before pam_ldap, so libpam calls into pam_unix first when the application (sshd) calls it to perform account management. The pam_unix module's account management function verifies that the user's password hasn't expired, and then returns a success code to libpam. libpam stops there because a success in a "sufficient" module is enough. The pam_ldap module isn't consulted. HTH, Nalin
