Locking accounts and still allowing ldap logins?


So, up til SLES12sp3, we could create an account on box which was configured for ldap authentication, and when we locked the account they could still
ssh into the box. Now with SLES12sp4 that not longer appears to be the case. If I lock and account it cannot login at all. If I set a junk password ldap
logins work again. Any suggestions on how to not set a local password, but still allow ldap logins?

2019-03-15T13:50:41.961114-04:00 box2 sshd[25190]: error: PAM: User account has expired for user from ?

If I set an expire date in the future I get the same message, I though a 0 for expire date was a never expire??



It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

Be sure to read the forum FAQ about what to expect in the way of responses:

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team

Check your configuration files for login/authentification to SSH server.

Configuration files for login/authentification to SSH server (sshd) are:


For a description of all configuration parameters for login/authentification to SSH server (sshd) read:

[CODE]# man sshd_config

man pam

man pam.d[/CODE]


Interesting configuration parameters in /etc/ssh/sshd_config are:

GSSAPIAuthentication UsePAM PubkeyAuthentication HostbasedAuthentication PasswordAuthentication ChallengeResponseAuthentication KbdInteractiveAuthentication KerberosAuthentication KerberosOrLocalPasswd PermitEmptyPasswords PermitRootLogin

ArchWiki is an interesting source of Linux information:




For some reason I didn’t get an email for these replies so didn’t read them until now.

Looking at a box that was upgraded from 12sp3 to 12sp4 and the box upgraded from 11sp4 tp 12sp4, in /etc/pam.d/common_account
I notice a big difference…

from the 12sp3 box…
account requisite pam_unix.so try_first_pass
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass

from the 11sp4 box…
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass

changing the 11sp4 config for the 12sp3 config fixes the issue, with a systemctl restart sshd