RSS feed

Dealing with disabled/expired user account authentication

[Date Prev][Date Next] [Thread Prev][Thread Next]

Dealing with disabled/expired user account authentication


I configured nss-pam-ldapd to authenticate with my active directory server.

If the user account is disabled/expired on the Active Directory
server, I see that user authentication fails.

nslcd: [272110] DEBUG: ldap_simple_bind_s("CN=xx,DC=xx,DC=COM","***")
nslcd: [272110] DEBUG: failed to bind to LDAP server
ldaps://xx.xx.xx.xx:636: Invalid credentials
nslcd: [272110] DEBUG: ldap_unbind()
nslcd: [272110] lookup of user CN=xx,DC=xx,DC=COM failed: Invalid credentials
nslcd: [04a8af] DEBUG: connection from pid=5746 uid=0 gid=0
nslcd: [04a8af] DEBUG: nslcd_shadow_byname(xx)
nslcd: [04a8af] DEBUG: myldap_search(base="dc=xx,dc=COM",

>From the logs I see that nss-pam-ldapd is doing a bind with the user
account and it fails.

If I enable the user account, the user authentication succeeds.

Is this behavior configured by the server configuration. When I used
OpenLDAP, I had to set the filters explicitly for the mapped
principal. I am not sure if OpenLDAP does a bind with the user account
that is used for authentication.

It would be good if someone throws light on how this works.

To unsubscribe send an email to or see