I spent most of Friday trying to find out why I was unable to log in to a newly setup machine via ssh while I could log in on the console. Especially as on another machine with identical configuration, everything worked as expected.

To make a long story short, I identified the culprit being databases/nss_ldap which was 240nb6 on the machine where it worked and 240nb7 on the slightly newer one where it didn't. The relevant change was --enable-schema-mapping.

Digging further into this, I found two things one of which I find a strange behaviour of ssh with UsePam enabled and the other one I suspect to be an error in nss_ldap.

First, even with "UsePam yes", sshd tries to verify that the user's account and password have not expired (auth.c:173). I would prefer having PAM handle this.

Second, it looks like nss_ldap gets the pw_change field wrong (ldap-pwd.c:188):
	pw->pw_change += atol(tmp);
which should read
	pw->pw_change += atol(tmp) * (24*60*60);
shouldn't it?