I'm using LDAP on a Debian 9.8 system. After receiving a

Your account has expired; please contact your system administrator

for one of my users, I tried unsuccessfully several of the solutions online but none of them seemed to work fully. I did manage to regain access to the user by changing the password from root (sudo passwd user), but the message kept appearing even though access was granted!

I found that if I comment:

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so

on pam.d/common_account the message disappears, but it also dissapears for all other users that are rightfully expired. How come pam_unix.so (and not pam_ldap) is able to say whether the user account is expired? (/etc/passwd and /etc/shadow do not have user info)

And of course, please advise on how to remove the account expired note from the user whose password has been renewed.

Thanks!