Dear Philip I tried to look into that deeper but I could not find any information about how to configure that:
nsswitch.conf states: shadow: ldap files A getent delivers: $ getent shadow bilek1 bilek1:*:::::::0 There is no difference if the user is locked or not. In case I state a userid which does not exists getent delivers nothing. Kind regards, Florian On Tue, Jul 24, 2012 at 8:52 AM, Philipp Kern <pk...@debian.org> wrote: > On Mon, Jul 23, 2012 at 10:25:34AM +0100, Malcolm Beattie wrote: > > There's a section of the sshd(8) man page beginning: > > Regardless of the authentication type, the account is checked > > to ensure that it is accessible. An account is not accessible > > if it is locked, listed in DenyUsers or its group is listed in > > DenyGroups. The definition of a locked account is system > > dependant. Some platforms... > > > > and which then (as I try to ignore the misspelling of dependent) > > gives O/S-specific ways that it checks for locked accounts, > > usually by special contents of a directly-accessed shadow > > password field such as "*LK", "Nologin", "!". From that, I'd guess > > that sshd may not invoke PAM in a way that would let you use > > pam_ldap to do the appropriate lookup via LDAP. > > It should be sufficient to setup NSS to list the locked password in "getent > shadow" (as root). Normally you have libnss-ldap(d) in addition to > libpam-ldap(d). > > Kind regards > Philipp Kern > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > -- Best regards Florian Bilek ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/