I’m putting this here because it took me two days to figure this out. RHEL 5 (or CentOS 5) has openLDAP broken out of the box. It does not handle SSHA password encryption (the default for openLDAP) properly. If you want openLDAP authentication to work with PAM on CentOs 5.3 you MUST edit the /etc/openldap/slapd.conf to contain:
If you do not then as soon as you use ldappasswd to change a password your user will no longer be able to log in. That is all.