pam_ldap read not auth on userPassword

Redhat EL5, Openldap 2.3, nss_ldap 2.53, Zimbra 5

Problem:
When ssh'ing to a system, auth fails unless I enable read permission for
anonymous on attrs=userPassword.

If I have:
access to attrs=userPassword
     by self write
     by anonymous auth

Authentication fails. If I change that to:
access to attrs=userPassword
     by self write
     by anonymous read

Authentication succeeds.

The ldap server logs show a bind as "anonymous", an attempt to read
userPassword, and then nothing. I see no subsequent attempt to re-bind as
the dn found in the initial search.

Here is the log of a failed connection:

Jun 30 14:04:47 mail slapd[22254]: conn=20 op=0 BIND dn="" method=128
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=0 RESULT tag=97 err=0 text=
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=1 SRCH
base="ou=People,dc=example,dc=com" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=dstahl))"
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=1 SRCH attr=uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=

There is no subsequent rebinding as user dstahl.

I know I've missed something obvious but for the life of me I can not find
it.

If you need additional logs or other information please let me know.

Thanks in advance,
-Don

Hi Don,

sounds like you are not using pam_ldap at all, though you contact the pamldap-list.
nss_ldap is retrieving data from LDAP and some pam-module, like pam_unix is validating passwords against that data.
Install and configure pam_ldap instead, then you'll see the desired behaviour.
If you already installed pam_ldap, I suppose your pam-config validates passwords with some other module first and does not bother invoke pam_ldap.
--
CU,
   Patrick.

> sounds like you are not using pam_ldap at all, though you contact the pamldap-list.
> nss_ldap is retrieving data from LDAP and some pam-module, like pam_unix is validating passwords against that data.
> Install and configure pam_ldap instead, then you'll see the desired behaviour.
> If you already installed pam_ldap, I suppose your pam-config validates passwords with some other module first and does not bother invoke pam_ldap.
Sigh- I had two major typos in my system-auth file and a couple of other
bits I never would have found until you mentioned I probably wasn't using
pam_ldap at all. I'm going to fix these and test the results but I'm
nearly certain that was the problem. I spent 2 hours checking the files
and managed to miss these issues several times. I managed to comment out
ldap in nsswitch.conf on the wrong server- then couldn't figure out how it
could still be authing...

Thanks,
-Don

>> Install and configure pam_ldap instead, then you'll see the desired
>> behaviour.
>> If you already installed pam_ldap, I suppose your pam-config validates
>> passwords with some other module first and does not bother invoke pam_ldap.
> Sigh- I had two major typos in my system-auth file and a couple of other bits
> I never would have found until you mentioned I probably wasn't using pam_ldap
> at all.
I commented out the nsswitch.conf entries on the correct system and auth
stops working- which finally makes sense. Then I corrected the pam_ldap
entries (which I managed to typo as pam_ladp.so) and of course now
everything works.

Thanks for the help- I never would have looked at those files again if you
hadn't said that was the only possibility.

-Don