如何能Centos連OpenLDAP用windows 2012 adlds的account

試了成星期,依家試到 root 用 su -l 可以經windows 2012 adlds 轉成 ad user,但仍然做不到 putty 入去centos 時就用 user 登入,另外即使 root 用了 su -l 轉accunt,但不能夠在 ldap account 轉成另一個 ldap account ... 已經 google 到頭大了...

LDAP Server: windows server 2012 r2 adlds
LDAP Clinet: Centos 6 x64

yum 咗 open-clients同nss-pam-ldapd

nslcd.conf
uid nslcd
gid ldap
base OU=Groups,DC=demo,DC=local
uri ldap://dc.demo.local/
binddn CN=ldapadmin,CN=users,DC=demo,DC=local
bindpw abcd1234
scope  group  sub
scope  hosts  sub
pagesize 1000
referrals off

filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd homeDirectory    unixHomeDirectory
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
filter group  (objectClass=group)
map     shadow shadowLastChange shadowLastChange
filter group  (&(objectClass=group)(gidNumber=*))
map    group  uniqueMember member

bind_timelimit 3
timelimit 3
scope sub
ssl no
tls_cacertdir /etc/openldap/cacerts

===================================

/etc/pam_ldap.conf

bind_timelimit 3
timelimit 3
network_timeout 3
bind_policy hard
scope sub
nss_base_passwd dc=demo,dc=local?sub
nss_base_shadow dc=demo,dc=local?sub
nss_base_group  dc=demo,dc=local?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute shadowLastChange pwdLastSet
pam_login_attribute uid
pam_filter objectclass=user
pam_password md5
pam_member_attribute member
pam_min_uid 100000
pam_groupdn cn=Linux Administrators,ou=Groups,dc=demo,dc=local
base dc=demo,dc=local
uri ldap://dc.demo.local/
binddn CN=ldapadmin,CN=Users,DC=demo,DC=local
bindpw abcd1234
ssl no
#tls_cacertdir /etc/openldap/cacerts
tls_cacertdir /etc/openldap/cacerts

===================================

/etc/pam.d/password-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

===================================

/etc/pam.d/system-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

===================================

如果在 Clinet 上用 getent passwd 和 getent shadow 會有以下顯示
[root@client ~]# getent passwd

user1:*:1000:501:user1:/home/user1:/bin/bash
user2:*:1001:501:user2:/home/user2:/bin/bash
user4:*:1002:501:user4:/home/user4:/bin/bash
user3:*:1003:501:user3:/home/user3:/bin/bash
user5:*:1005:501:user5:/home/user5:/bin/bash

[root@client ~]# getent shadow
user1:*:0::::::0
user2:*:16635:0:99999:7:::
user4:*:0::::::0
user3:*:0::::::0
user5:*:0::::::0

查過有 * 代表 account disable ... 究竟有甚麼方法可以用到呢
拜託大家幫忙