Default behaviour of expired LDAP accounts in PAM