Try to set the shadow last change to zero. pam_ldap is supposed to
expire the account:
...
if (session->info->shadow.lstchg == 0)
{
/*
* Adhere to convention of a shadow last change
* value of 0 implying that the password has
* expired. Apparently this is documented in the
* shadow suite (libmisc/isexpired.c).
*/
session->info->password_expired = 1;
...sal
