Hi, I have the following setup. 2 SuSE 9.1 machines, updated. One is the LDAP server and the second one the machine on which I want to login using LDAP accounts.. I have an objectClass uaicCont with all the fields from posixAccounts and shadowAccount. When I log on the second machine and try to change the password using passwd command the userPassword is changed with the new password but the shadowLastChange field on the LDAP server doesn't change. The /etc/openldap/ldap.cont looks like this: ... # Filter to AND with uid=%s pam_filter objectclass=uaicCont pam_login_attribute uid nss_map_objectclass posixAccount uaicCont nss_map_objectclass shadowAccount uaicCont nss_base_passwd <my base dn>?one nss_base_shadow <my base dn>?one ... Also, another weird stuff is that when I log in, I must type the password twice. The first prompt is simply: password, and the second prompt is "LDAP password". The /etc/pam.d/ssh and /etc/pam.d/passwd looks like this: ssh: #%PAM-1.0 auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so auth sufficient pam_ldap.so account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok password required pam_ldap.so use_authtok session required pam_unix2.so none # trace or debug session required pam_limits.so # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname passwd: #%PAM-1.0 auth sufficient /lib/security/pam_ldap.so auth required pam_unix2.so nullok account sufficient /lib/security/pam_ldap.so account required pam_unix2.so password sufficient /lib/security/pam_ldap.so use_first_pass use_authtok password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok #password required pam_make.so /var/yp session required pam_unix2.so Any ideeas ?