Hi, having configured SSSD on RHEL 6.4 to connect to our OpenLDAP server successfully, I can get a list of users and groups using the getent command but cannot ssh into the host or login via the console.


The following error message is returned in /var/log/secure:


May  8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=jimbob

May  8 12:18:26 rh-test-mg01 sshd[6660]: pam_sss(sshd:account): Access denied for user jimbob: 6 (Permission denied)

May  8 12:18:26 rh-test-mg01 sshd[6658]: error: PAM: User account has expired for jimbob from


These are my ldap details:


# extended LDIF


# LDAPv3

# base <uid=jimbob,ou=people,dc=XXX,dc=com> with scope subtree

# filter: (objectclass=*)

# requesting: ALL



# jimbob, People, XXX.com

dn: uid=jimbob,ou=People,dc=XXX,dc=com

givenName: Jim

sn: Bob

uid: jimbob

uidNumber: 1081

homeDirectory: /home/jimbob

loginShell: /bin/bash

cn: Jim Bob

gidNumber: 1398

mail: jim.bob@XXX.com

userPassword:: XXX

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: ldapPublicKey

objectClass: shadowAccount



If I comment out the following line in /etc/pam.d/password-auth then I can login via ssh but still not the console.


#account     [default=bad success=ok user_unknown=ignore] pam_sss.so


Any help would be greatly appreciated.


Thanks in advance, David.


Truphone Limited, registered in England and Wales (registered company number: 04187081). Registered office: 4 Royal Mint Court, London EC3N 4HJ. VAT No. GB 851 5278 19

This e-mail, and any attachment(s), may contain information which is confidential and/or privileged, and is intended for the addressee only. If you are not the intended recipient, you may not use, disclose, copy or distribute this information in any manner whatsoever. If you have received this e-mail in error, please contact the sender immediately and delete it.